What I don't fully understand is the use of ClientId and Secret vs Username and Password. The code I pasted generates a token by username and password and I can work with that token (until it expires), but when I try to get a refresh token, I must have the ClientId.

Also, if a token expires, the correct way is to send the refresh token and get a new token? What if the refresh token gets stolen? isn't it the same as a username & password getting stolen?

In OAuth2 is essential to authenticate both the user and the client in any authorization flow defined by the protocol. The client authentication (as you may guess) enforces the use of your API only by known clients. The serialized access token, once generated, is not bound to a specific client directly. Please note that the ClientSecret must be treated as a confidential information, and can be used only by clients that can store this information in some secure way (e.g. external services clients, but not javascript clients).

The refresh token is simply an alternative "grant type" for OAuth2, and, as you stated correctly, will substitute the username and password pair for a User. This token must be treated as confidential data (even more confidential than the access token), but gives advantages over storing the username & password on the client:

  • it can be revoked by the user if compromised;
  • it has a limited lifetime (usually days or weeks);
  • it does not expose user credentials (an attacker can only get access tokens for the "scope" the refresh token was issued).

I suggest you to read more about the different grant types defined in OAuth 2 checking in the official draft. I also recommend you this resource I found very useful when firstly implemented OAuth2 in Web API myself.

Sample requests

Here are two request examples using fiddler, for Resource Owner Password Credentials Grant:

and for Refresh Token Grant:

https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/

ASP.NET OAuth Authorization - Difference between using ClientId and Secret and Username and Password的更多相关文章

  1. ASP.NET OAuth、jwt、OpenID Connect

    ASP.NET OAuth.jwt.OpenID Connect 上一篇文章介绍了OAuth2.0以及如何使用.Net来实现基于OAuth的身份验证,本文是对上一篇文章的补充,主要是介绍OAuth与J ...

  2. ASP.NET Core Authorization

    ASP.NET Core Authorization 本文目录 Asp.net Core 对于授权的改动很友好,非常的灵活,本文以MVC为主,当然如果说webapi或者其他的分布式解决方案授权,也容易 ...

  3. ASP.NET没有魔法——ASP.NET OAuth、jwt、OpenID Connect

    上一篇文章介绍了OAuth2.0以及如何使用.Net来实现基于OAuth的身份验证,本文是对上一篇文章的补充,主要是介绍OAuth与Jwt以及OpenID Connect之间的关系与区别. 本文主要内 ...

  4. ASP.NET OAuth 2.0 新手上路

    OAuth2.0资料 初衷:一直想整理授权系列demo,让自己项目高端大尚,列出新手授权系列,帮助小白程序员不用在为授权头疼 OAuth 允许用户提供一个令牌,而不是用户名和密码来访问他们存放在特定服 ...

  5. ASP.NET OAuth:解决refresh token无法刷新access token的问题

    最近同事用iOS App调用Open API时遇到一个问题:在access token过期后,用refresh token刷新access token时,服务器响应"invalid_gran ...

  6. ASP.NET OAuth:access token的加密解密,client secret与refresh token的生成

    在 ASP.NET OWIN OAuth(Microsoft.Owin.Security.OAuth)中,access token 的默认加密方法是: 1) System.Security.Crypt ...

  7. [转]教你实践ASP.NET Core Authorization

    本文转自:http://www.cnblogs.com/rohelm/p/Authorization.html 本文目录 Asp.net Core 对于授权的改动很友好,非常的灵活,本文以MVC为主, ...

  8. 教你实践ASP.NET Core Authorization

    本文目录 Asp.net Core 对于授权的改动很友好,非常的灵活,本文以MVC为主,当然如果说webapi或者其他的分布式解决方案授权,也容易就可以实现单点登录都非常的简单,可以使用现成的Iden ...

  9. ASP.NET控件的ID,ClientID,UniqueId的区别

    一般情况下三者相同(没有父控件) ID:获取或设置分配给服务器控件的编程标识符.分配给控件的编程标识符. (可写) 设置服务器控件上的此属性可提供对服务器控件的属性.事件和方法的编程访问.Web 开发 ...

随机推荐

  1. scrapy - grab english name

    wxpath定位-采集验证-入库-使用. from scrapy.spider import Spider from scrapy.crawler import CrawlerProcess clas ...

  2. jsonarray 循环

    JSONArray groupList = JSON.parseArray(st1); for (int i=0;i<groupList.size();i++){ JSONObject json ...

  3. python AI(numpy,matplotlib)

    http://blog.csdn.net/ywjun0919/article/details/8692018 apt-cache policy python-numpy sudo apt-get in ...

  4. MySQL的表分区详解 - 查看分区数据量,查看全库数据量----转http://blog.csdn.net/xj626852095/article/details/51245844

    查看分区数据量,查看全库数据量 USE information_schema; SELECT PARTITION_NAME,TABLE_ROWS FROM INFORMATION_SCHEMA.PAR ...

  5. golang几种post方式

    用golang进行http请求类型多了,总结备忘一下. 1.普通的post\get请求 var r http.Request r.ParseForm() r.Form.Add("uuid&q ...

  6. PAE 分页模式详解

    2016-11-18 记得之前看windows内核原理与实现的时候,在内存管理部分,看到涉及到PAE模式的部分,提到此模式下可以让系统在虚拟地址还是32位宽的情况下,支持64GB的物理内存或者更多.当 ...

  7. vue状态管理器(用户登录简单应用)

    技术点:通过vue状态管理器,对已经登录的用户显示不同的页面: 一  vue之状态管理器应用 主要用来存储cookie信息 与vue-cookies一起使用 安装:npm install vue-co ...

  8. Flask上下文管理

    一.一些python的知识 1.偏函数 def add(x, y, z): print(x + y + z) # 原本的写法:x,y,z可以传任意数字 add(1,2,3) # 如果我要实现一个功能, ...

  9. 18.出现Description Resource Path Location Type Unknown error merging manifest

    原因是,依赖工程和主工程的manifest中的 <uses-sdk android:minSdkVersion="9" android:targetSdkVersion=&q ...

  10. linux mysql备份

    许多备份方案: http://blog.jobbole.com/14012/ 采用的: mysqldump ---user admin ---password=password mydatabase ...