spring - Is OAuth user approval the same as user authentication? -
trying lookup autoapprove
in spring boot oauth, , there's question here titled skip oauth user approval in spring boot oauth2 talks it. user approval same thing user authentication. in other words when autoapprove
set true the client, user authentication skipped?
authentication , approval not same, see rfc6749:
4.1.1. authorization request
[...] authorization server validates request ensure required parameters present , valid. if request valid, authorization server authenticates resource owner , obtains authorization decision (by asking resource owner or establishing approval via other means).
when decision established, authorization server directs user-agent provided client redirection uri using http redirection response, or other means available via user-agent.
spring oauth2's autoapprove
skips approval (establishing approval via other means), see userapprovalhandler.html#checkforpreapproval:
provides hook allowing requests pre-approved (skipping user approval page). implementations may allow users store approval decisions have approve site once. method called in authorizationendpoint before sending user approval page. if method sets oauth2request.approved true, approval page skipped.
see also:
Comments
Post a Comment