问题
I've got my head around OAuth and the whole redirect-to-authorize concept.
It makes sense to have third party applications do this, however what about the 'actual' website or app of a company?
For example, the Facebook website/app are not going to force you through a redirect flow to login even though they may be sitting on an OAuth API under the hood.
From an OAuth perspective it would seem exceptions need to be made for these types of consumers. Namely, there are a select few applications are essentially automatically authorized.
Does that make sense or am I missing something?
回答1:
I'm not sure I understand your question correctly, but basically, the primary goal of OAuth 2.0 is to allow third-party applications to access resource owners' (= end users') protected resources without passing resource owners' credentials (ID and password) to the third-party applications.
From a viewpoint of Facebook server, Facebook official website and application are not third-party applications. That is, all the entities (server, applications and users) belong to Facebook. Therefore, Facebook server and Facebook official applications do not have to use OAuth 2.0. They can communicate in their special, custom and cryptic way as they like.
Likewise, from a viewpoint of Photobucket server, the official Photobucket application is not a third-party application. So, the application is allowed to accept end users' credentials directly via the application's UI components. On the other hand, from a viewpoint of PhotoFolio, the Photobucket application is a third-paty application. Because PhotoFolio want to let the Photbucket application access PhotoFolio service but does not want to let the Photobucket application gather PhotoFolio's end users' credentials, PhotoFolio requires the Photobucket application to use OAuth 2.0.
In OAuth 2.0 flows (except Resource Owner Password Credentials Grant), third-party applications cannot know end users' credentials. This is the point. Non-third-party applications which are eligible to know end users' credentials do not have to use OAuth 2.0.
来源:https://stackoverflow.com/questions/24332662/oauth-exceptions-for-primary-website-app