OAuth 2-‘用户名和密码流’和‘客户证书流’之间的区别是什么？

Question

在这两种情况下，用户凭据都被交换为访问令牌。有人能解释一下这种区别吗？

这里描述了来自http://hueniverse.com的流

• User-Agent Flow – for clients running inside a user-agent (typically a web browser).
• Web Server Flow – for clients that are part of a web server application, accessible via HTTP requests. This is a simpler version of the flow provided by OAuth 1.0.
• Device Flow – suitable for clients executing on limited devices, but where the end-user has separate access to a browser on another computer or device.
• Username and Password Flow – used in cases where the user trusts the client to handle its credentials but it is still undesirable for the client to store the user’s username and password.  This flow is only suitable when there is a high degree of trust between the user and the client.
• Client Credentials Flow – the client uses its credentials to obtain an access token. This flow supports what is known as the 2-legged scenario.
• Assertion Flow – the client presents an assertion such as a SAML assertion to the authorization server in exchange for an access token.

Answer 1

您在这里混淆了客户端和用户凭据。

OAuth上下文中的客户端总是指获得授权的应用程序。因此，在客户端凭据流中，应用程序直接授权给提供者，而不需要来自用户的任何输入(也称为https://stackoverflow.com/a/6949008/1467115，因为只涉及两个方面)。

用户名和密码流是3条腿的流.用户向应用程序提供用户名和密码，然后应用程序使用这些凭据向提供程序请求数据。