What is the id? of client_id in OAuth2.0 password authorization mode
there is a blog that explains the password mode as follows:
password mode (resource owner password credentials):
the user provides his user name and password on the authorization server to the third-party client, and the client requests the token (Access Token) from the authorization server through the user name and password provided by the user.
the parameters that need to be submitted for Laravel to use password authorization are as follows:
$response = $http->post("http://your-app.com/oauth/token", [
"form_params" => [
"grant_type" => "password",
"client_id" => "client-id",
"client_secret" => "client-secret",
"username" => "taylor@laravel.com",
"password" => "my-password",
"scope" => "",
],
]);
question:
1, what is the client_id in the code? does each user have a client_id or what does it mean?
2. In the conceptual interpretation of password mode, several participants are involved:
(1) user
(2) third-party client
(3) authorization server
(4) client
is a little confused about who is which of the above four. Please give an example to make them sit in the right seat. Thank you, boss!
client_id is obtained by your application, which is registered with the oAuth2 website.
take Tencent, for example. Although Tencent may not be in password mode, here is an example.
if you are an A website and need to get the user's account information in Tencent, then you need to register your application with Tencent and get your client_id .
in this way, when authenticating, Tencent's OAuth can distinguish which applications are authorized by the user (your A website or someone else's B website).
website An and website B both have their own client_id,. Tencent distinguishes the authorization given by users according to this id
of course, to prevent counterfeiting, there will be another clinet_secret to confirm that the client_id you are using is indeed owned by your site.
and a few participants that you don't understand. The
is explained by the above example.
- users are users of Tencent. Website An or website B need the authorization of the user to obtain the information of the user's Tencent account.
- the third-party client is the mobile APP (web page) of website An or website B.
- authorized server refers to Tencent
- client refers to the server of website An or website B
as to why it is divided into third-party client and client , this is mainly for the sake of secret_id secrecy. If your secret_id is directly written in the user application, then anyone can use the identity of your A website to get the user's information. So secret_id can only be saved in the background.
so it can be understood here as client refers to the server of website A. In the case of Tencent's Oauth authorization, Tencent is the authorized server, and the backend of website An is the authorized client.
< hr >
that's all for the time being. If you say something wrong or if you don't understand, add
.
second question
take a Mini Game that supports Wechat login as an example:
(1) user: you
(2) third-party client: Mini Game
(3) authorized server: Wechat
(4) client: this is the third-party client, that is, Mini Game
password mode means that you enter Wechat's account password into Mini Game, and then Mini Game takes this to ask Wechat for token, and then Mini Game uses this token to access Wechat's api to get your information or resources (so this method is not recommended, because your Wechat account password tells a third party Mini Game)
< hr >
the first question
client_id is given by Wechat when Mini Game registers with Wechat. The id
client_secret indicating the identity of Mini Game is the corresponding key
.
