Reputation: 26886
How can Resource Owner grant Client and do not give its information?
When I read OAuth 2.0 Authorization Framework , there is a image shows the process:
I don't understand the steps' function that can avoid give Resource Owner's information to Client:
Client ask Resource Owner for Authorization( step A ), and Resource Owner give the Grant for Client( step B ).
How can the step A and step B avoid to give the Resource Owner's information to Client?
Upvotes: 0
Views: 33
Answers (1)
Reputation: 8421
The resource owner password grant counts with the client getting access to the resource owner's credentials. The goal of this grant is to be there if you cannot use other flows (e.g. when a backend needs a token for itself). As the OAuth 2 specification says:
The credentials should only be used when there is a high degree of trust between the resource owner and the client (e.g., the client is part of the device operating system or a highly privileged application), and when other authorization grant types are not available (such as an authorization code).
If you don't want the client to get the credentials, use some other flow such as Implicit or Authorization code grant.
Upvotes: 1
Related Questions
- OAuth - What exactly is a resource owner? When is it not an end-user?
- OAuth 2.0 - role of the resource server, authorization server and the resource owner
- oauth2 - How does resource server know if user authorized?
- What is the purpose of Resource Owner Password Credential Grant Type in OAuth 2.0?
- Why does OAuth 2 have Resource Owner Password Credentials Grant?
- Secure Oauth 2.0 Resource Owner Password Credentials Grant Type
- How the access grant goes in OAuth2 when Resource Owner is already single signed-in
- How does the Resource Server understand the Access Token in OAuth 2.0?
- Who is the resource owner?
- How to keep the client credentials confidential, while using OAuth2's Resource Owner Password Credentials grant type