问题
I'm building an OAuth2 Provider and API on Node.js.
I've built the system to grant access_tokens and require client_key and client_secret to do so...
But once an access_token has been granted, and a Client User performs a GET or POST request to an API resource, is it common to pass the client_key and client_secret along with that request, and all subsequent requests?
I've always been under the impression that only an access_token was needed, but after reviewing some SDKs (like this Twitter node API client), they are using OAuth Clients to perform subsequent requests to API resources, and it looks like the client_secret and client_key are being included each time.
回答1:
The specification requires the access token only. The authorization server itself is definitely able to look up every authorization detail for token.
However, in some use cases the protected resource should also be able to identify the client (e.g. do access logging), but the specification does not cover how this should be done. Using JWS or other self-contained tokens you can extract the client id (and everything else) from the token manually, but the server is free to use different token representations as well.
As a conclusion, including client info besides the access token is probably a custom implementation detail of Twitter and others for protected resources to identify their client.
来源:https://stackoverflow.com/questions/24966935/oauth2-provider-architecture-should-requests-w-access-tokens-be-accompanied-b