问题
I'm Using Spring Security OAuth2 and currently implemented the client_credentials and password grant types. I noticed a client has both scope and authorities. Can someone please explain what the difference is? To be more specific, I'm using the JDBCTokenStore and the database schema has a oauth_client_details table.
Also,
In the oauth_client_details table, I'm not sure what the following fields are used for:
web_server_redirect_url, access_token_validity,refresh_token_validity
Some clarification would be very helpful and appreciated.
回答1:
I noticed a client has both scope and authorities
The client only has scope, but we can consider/use it as an authority(roles). This is because OAuth2 spec doesn't explain specific usage of scope.
Consider this, a user authorizes Twitter to post a user's tweet to Facebook. In this case, Twitter will have a scope write_facebook_status. Although user has authority to change it's own profile but this doesn't mean that Twitter can also change user's profile. In other words, scope are client authorities/roles and it's not the User's authorities/roles.
web_server_redirect_url
This will be used by authorization server to redirect the request to its original URL or callback(authorization grant) after successful authorization.
access_token_validity
This is the token_access expiration time in seconds. Set to -1 or 0 for infinite. If you set it to 60, then after 1 minute your token_access will be invalid. You have to either request a new token by doing the authorization process or use refresh_token.
refresh_token_validity
This is refresh_token expiration time.
来源:https://stackoverflow.com/questions/32092749/spring-oauth2-scope-vs-authoritiesroles