why authorization_code is better than just implicit grant type . isn't it just one more step?
implicit -> authorization server delivers access token with no guarantee that receiver will be the right one , client might be not intended client
bad guy just can take acces token
authorization_code -> having authorization code is not enough bad guy needs client's credenitial.
also send auth_code is request not response -> request can be easily interposed by someone but response is not
opaque token -> cannot validate need to ask AuthenticationServer if it is valid token
need to specify what encoder you will use for client's credential otherwise it will use encoder configured in usermanagementConfigure class
send request to /oauth/check_token with access token
in configure method we need to set checkTokenAcess("permitAll()")
with checkTokenAccess("isAuthenticated()") -> need additinally specify client credentital in basic Auth
'WEB > Security' 카테고리의 다른 글
| Lesson 15 - Using Opaque Tokens - Blackboarding (0) | 2022.05.09 |
|---|---|
| Lesson 14 - Using Opaque Tokens - Introspection (0) | 2022.05.09 |
| Lesson 12 - Deeply understanding the grant types (0) | 2022.05.06 |
| Lesson 11 - OAuth 2 and Spring Security (0) | 2022.05.06 |
| Lesson 10 - (Cross-Origin Resource Sharing) CORS (0) | 2022.05.06 |