https://www.oauth.com/oauth2-servers/access-tokens/password-grant/
The Password grant is used when the application exchanges the user’s username and password for an access token. This is exactly the thing OAuth was created to prevent in the first place, so you should never allow third-party apps to use this grant.
A common use for this grant type is to enable password logins for your service’s own apps. Users won’t be surprised to log in to the service’s website or native application using their username and password, but third-party apps should never be allowed to ask the user for their password.
Request Parameters
The access token request will contain the following parameters.
grant_type(required) – Thegrant_typeparameter must be set to “password”.username(required) – The user’s username.password(required) – The user’s password.scope(optional) – The scope requested by the application.- Client Authentication (required if the client was issued a secret)
If the client was issued a secret, then the client must authenticate this request. Typically the service will allow either additional request parameters client_id and client_secret, or accept the client ID and secret in the HTTP Basic auth header.
Example
The following is an example password grant the service would receive.
POST /oauth/token HTTP/1.1Host: authorization-server.comgrant_type=password&username=user@example.com&password=1234luggage&client_id=xxxxxxxxxx&client_secret=xxxxxxxxxx
See Access Token Response for details on the parameters to return when generating an access token or responding to errors.
GET /Chuck_WebApi/oauth/token HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
cache-control: no-cache
Postman-Token: 77e99b5f-d31e-4379-a64c-ddc511d42781
grant_type=passwordusername=adminpassword=passwordundefined=undefined
To allow only the grant types you want it's enough to inherit from OAuthAuthorizationServerProvider. Then you need to override two methods:
- ValidateClientAuthentication - to validate that the origin of the request is a registered
client_id - GrantResourceOwnerCredentials - to validate provided
usernameandpasswordwhen thegrant_typeis set topassword
For more information here is the documentation of GrantResourceOwnerCredentials method:
Called when a request to the Token endpoint arrives with a "grant_type" of "password". This occurs when the user has provided name and password credentials directly into the client application's user interface, and the client application is using those to acquire an "access_token" and optional "refresh_token". If the web application supports the resource owner credentials grant type it must validate the context.Username and context.Password as appropriate. To issue an access token the context.Validated must be called with a new ticket containing the claims about the resource owner which should be associated with the access token. The application should take appropriate measures to ensure that the endpoint isn’t abused by malicious callers. The default behavior is to reject this grant type.
需要注意的是:
client_credentials
Called when a request to the Token endpoint arrives with a "grant_type" of "password".
This occurs when the user has provided name and password credentials directly into the client application's user interface, and the client application is using those to acquire an "access_token" and optional "refresh_token".
If the web application supports the resource owner credentials grant type it must validate the context.Username and context.Password as appropriate.
To issue an access token the context.Validated must be called with a new ticket containing the claims about the resource owner which should be associated with the access token.
The default behavior is to reject this grant type. See also http://tools.ietf.org/html/rfc6749#section-4.3.
经过测试,发现下面这个才是有效的
GET /Chuck_WebApi/oauth/token HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
cache-control: no-cache
Postman-Token: ce49a101-df6e-4b7c-9217-e112b387b784
grant_type=client_credentialsusername=adminpassword=password
换了另外一种
GET http://localhost/Chuck_WebApi/oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
cache-control: no-cache
Postman-Token: 3b870eb3-1c29-4b5e-9dcd-297e3f582c27
User-Agent: PostmanRuntime/7.6.0
Accept: */*
Host: localhost
accept-encoding: gzip, deflate
content-length: 75
Connection: keep-alivegrant_type=password&username=admin&password=password&client_id=testClientId