1.3. Authorization Grant
An authorization grant is a credential / representing the resource owner’s authorization / (to access its protected resources) / used by the client / to obtain an access token. // This specification defines four grant types / — authorization code, implicit, resource owner password credentials, and client credentials — as well as an extensibility mechanism // for defining additional types.
authorization grant는 자격이다. / resource owner의 authorization인증을 대표하는 / (이것의 protected보호된 resources자원에 접근하기 위해) / client에 의해 사용된다 / access token을 얻기 위해. //
이 규격은 네 가지 인증 타입을 정의한다 / — 인증코드, 내재화, 자원소유자의 비밀번호 인증정보, client 인증정보 — / 게다가 추가적인 타입을 위한 확장 메커니즘
authorization grant는 client가 resource owner의 protected resource에 접근하기 위한 access token을 받기위한 인증을 말한다.
이 규격서는 네가지 인증 방식grant types을 정의한다
resource owner password credentials
위 네개 뿐 아니라 추가로 확장도 가능하다
1.3.1. Authorization Code
The authorization code is obtained by using an authorization server as an intermediary between the client and resource owner. Instead of requesting authorization directly from the resource owner, the client directs the resource owner to an authorization server (via its user-agent as defined in [RFC2616]), which in turn directs the resource owner back to the client with the authorization code.
authorization server : client와 resource owner사이의 중재자 역할을 한다
authorization code는 authorization server에서 얻을 수 있다.
client는 authorization을 resource owner에 직접 요청하는 대신에 resource owner를 authorization server에 연결해줄 수 잇다. ([RFC2616]에 정의되어있는 user-agent를 이용)
Before directing the resource owner back to the client with the authorization code, the authorization server authenticates the resource owner and obtains authorization. Because the resource owner only authenticates with the authorization server, the resource owner’s credentials are never shared with the client.
resource owner에서 client로 authorization code를 전달하기 전에 authorization server는 resource owner를 인증하고 authorization을 얻는다. 왜냐하면 resource owner는 authorization server과만 인증을 하고 resource owner의 인증정보는 client와 공유되지 않기 때문이다.
The authorization code provides a few important security benefits,
such as the ability to authenticate the client, as well as the
transmission of the access token directly to the client without
passing it through the resource owner’s user-agent and potentially
exposing it to others, including the resource owner.
authorization code는 몇가지 보안 잇점이 있다. client를 인증하는 기능, 예를들어) access token을 resource owner의 user-agent를 거치지 않고 직접 client에 전달한다던가… 그리고 잠재적으로 이게 resource를 포함해서 제3자에게 노출될 가능성 없다
The implicit grant is a simplified authorization code flow optimized
for clients implemented in a browser using a scripting language such
an authorization code, the client is issued an access token directly
(as the result of the resource owner authorization). The grant type is implicit, as no intermediate credentials (such as an authorization code) are issued (and later used to obtain an access token).
(resource owner의 인증의 결과로). grant type인증 타입이 implicit인 경우 중재해주는 credential이 발급되지 않는다. (authorization code라던가…)(그리고 나중에 access token을 얻을 때 쓰인다)
When issuing an access token during the implicit grant flow, the
authorization server does not authenticate the client. In some
cases, the client identity can be verified via the redirection URI
used to deliver the access token to the client. The access token may
be exposed to the resource owner or other applications with access to
the resource owner’s user-agent.
implicit 인증 흐름에서 access token이 발급될 때 authorization server는 client를 인증해주지않느다. 간혹, client identify가 redirection uri로 전달된 access token으로 인증되기도한다. access token은 노출될 수 있다. resource owner에게 또는 다른 application이 reosurce owner의 user-agent에 접근할 때
Implicit grants improve the responsiveness and efficiency of some
clients (such as a client implemented as an in-browser application),
since it reduces the number of round trips required to obtain an
access token. However, this convenience should be weighed against
the security implications of using implicit grants, such as those
described in Sections 10.3 and 10.16, especially when the
authorization code grant type is available.
implicit 인증은 민감성과 효율을 증가시킨다.(TODO)
1.3.3. Resource Owner Password Credentials
The resource owner password credentials (i.e., username and password)
can be used directly as an authorization grant to obtain an access
token. The credentials should only be used when there is a high
degree of trust between the resource owner and the client (e.g., the
client is part of the device operating system or a highly privileged
application), and when other authorization grant types are not
available (such as an authorization code).
Even though this grant type requires direct client access to the
resource owner credentials, the resource owner credentials are used
for a single request and are exchanged for an access token. This
grant type can eliminate the need for the client to store the
resource owner credentials for future use, by exchanging the
credentials with a long-lived access token or refresh token.
1.3.4. Client Credentials
The client credentials (or other forms of client authentication) can
be used as an authorization grant when the authorization scope is
limited to the protected resources under the control of the client,
or to protected resources previously arranged with the authorization
server. Client credentials are used as an authorization grant
typically when the client is acting on its own behalf (the client is
also the resource owner) or is requesting access to protected
resources based on an authorization previously arranged with the