OAuth2 Spec. – 1.3. Authorization Grant

4 minute read

1.3. Authorization Grant

An authorization grant is a credential / representing the resource owner’s authorization / (to access its protected resources) / used by the client / to obtain an access token. // This specification defines four grant types / – authorization code, implicit, resource owner password credentials, and client credentials – as well as an extensibility mechanism // for defining additional types.

authorization grant는 자격이다. / resource owner의 authorization인증을 대표하는 / (이것의 protected보호된 resources자원에 접근하기 위해) / client에 의해 사용된다 / access token을 얻기 위해. // 이 규격은 네 가지 인증 타입을 정의한다 / – 인증코드, 내재화, 자원소유자의 비밀번호 인증정보, client 인증정보 – / 게다가 추가적인 타입을 위한 확장 메커니즘

authorization grant는 client가 resource owner의 protected resource에 접근하기 위한 access token을 받기위한 인증을 말한다. 이 규격서는 네가지 인증 방식grant types을 정의한다 authorization code implicit resource owner password credentials client credentials 위 네개 뿐 아니라 추가로 확장도 가능하다

1.3.1. Authorization Code

The authorization code is obtained by using an authorization server as an intermediary between the client and resource owner. Instead of requesting authorization directly from the resource owner, the client directs the resource owner to an authorization server (via its user-agent as defined in [RFC2616]), which in turn directs the resource owner back to the client with the authorization code.

authorization server : client와 resource owner사이의 중재자 역할을 한다 authorization code는 authorization server에서 얻을 수 있다. client는 authorization을 resource owner에 직접 요청하는 대신에 resource owner를 authorization server에 연결해줄 수 잇다. ([RFC2616]에 정의되어있는 user-agent를 이용)

Before directing the resource owner back to the client with the authorization code, the authorization server authenticates the resource owner and obtains authorization. Because the resource owner only authenticates with the authorization server, the resource owner’s credentials are never shared with the client.

resource owner에서 client로 authorization code를 전달하기 전에 authorization server는 resource owner를 인증하고 authorization을 얻는다. 왜냐하면 resource owner는 authorization server과만 인증을 하고 resource owner의 인증정보는 client와 공유되지 않기 때문이다.

The authorization code provides a few important security benefits, such as the ability to authenticate the client, as well as the transmission of the access token directly to the client without passing it through the resource owner’s user-agent and potentially exposing it to others, including the resource owner.

authorization code는 몇가지 보안 잇점이 있다. client를 인증하는 기능, 예를들어) access token을 resource owner의 user-agent를 거치지 않고 직접 client에 전달한다던가… 그리고 잠재적으로 이게 resource를 포함해서 제3자에게 노출될 가능성 없다

1.3.2. Implicit

The implicit grant is a simplified authorization code flow optimized for clients implemented in a browser using a scripting language such as JavaScript. In the implicit flow, instead of issuing the client an authorization code, the client is issued an access token directly

Implicit 인증은 authorization code의 절차를 간소화 시킨 것이다. JavaScript와 같은 Brower단의 스크립트 언어에서 쓸 수 있도록. client에게 authorization code를 발급하는 대신에 client는 access token을 직접 발급한다.

(as the result of the resource owner authorization). The grant type is implicit, as no intermediate credentials (such as an authorization code) are issued (and later used to obtain an access token). (resource owner의 인증의 결과로). grant type인증 타입이 implicit인 경우 중재해주는 credential이 발급되지 않는다. (authorization code라던가…)(그리고 나중에 access token을 얻을 때 쓰인다)

When issuing an access token during the implicit grant flow, the authorization server does not authenticate the client. In some cases, the client identity can be verified via the redirection URI used to deliver the access token to the client. The access token may be exposed to the resource owner or other applications with access to the resource owner’s user-agent.

implicit 인증 흐름에서 access token이 발급될 때 authorization server는 client를 인증해주지않느다. 간혹, client identify가 redirection uri로 전달된 access token으로 인증되기도한다. access token은 노출될 수 있다. resource owner에게 또는 다른 application이 reosurce owner의 user-agent에 접근할 때

Implicit grants improve the responsiveness and efficiency of some clients (such as a client implemented as an in-browser application), since it reduces the number of round trips required to obtain an access token. However, this convenience should be weighed against the security implications of using implicit grants, such as those described in Sections 10.3 and 10.16, especially when the authorization code grant type is available.

implicit 인증은 민감성과 효율을 증가시킨다.(TODO)

1.3.3. Resource Owner Password Credentials

The resource owner password credentials (i.e., username and password) can be used directly as an authorization grant to obtain an access token. The credentials should only be used when there is a high degree of trust between the resource owner and the client (e.g., the client is part of the device operating system or a highly privileged application), and when other authorization grant types are not available (such as an authorization code).

Even though this grant type requires direct client access to the resource owner credentials, the resource owner credentials are used for a single request and are exchanged for an access token. This grant type can eliminate the need for the client to store the resource owner credentials for future use, by exchanging the credentials with a long-lived access token or refresh token.

1.3.4. Client Credentials

The client credentials (or other forms of client authentication) can be used as an authorization grant when the authorization scope is limited to the protected resources under the control of the client, or to protected resources previously arranged with the authorization server. Client credentials are used as an authorization grant typically when the client is acting on its own behalf (the client is also the resource owner) or is requesting access to protected resources based on an authorization previously arranged with the authorization server.