2. Client Registration

客户端注册

Before initiating the protocol, the client registers with the

authorization server. The means through which the client registers

with the authorization server are beyond the scope of this

specification but typically involve end-user interaction with an HTML

registration form.

　　在启动协议之前，客户端要向授权服务器注册。 客户端向授权服务器注册的方式超出了本规范的范围，但通常涉及终端用户与HTML注册表的互动。

Client registration does not require a direct interaction between the

client and the authorization server. When supported by the

authorization server, registration can rely on other means for

establishing trust and obtaining the required client properties

(e.g., redirection URI, client type). For example, registration can

be accomplished using a self-issued or third-party-issued assertion,

or by the authorization server performing client discovery using a

trusted channel.

　　客户端注册并不要求客户端和授权服务器之间有直接的互动。 当授权服务器支持时，注册可以依靠其他方式来建立信任并获得所需的客户属性（例如，重定向URI，客户类型）。 例如，注册可以通过自发的或第三方发布的断言来完成，或者由授权服务器使用可信的渠道进行客户发现。

When registering a client, the client developer SHALL:

o specify the client type as described in Section 2.1,

o provide its client redirection URIs as described in Section 3.1.2, and

o include any other information required by the authorization server

(e.g., application name, website, description, logo image, the

acceptance of legal terms).

在注册一个客户时，客户开发人员应

• 如第2.1节所述，指定客户类型
• 如第3.1.2节所述，提供其客户端重定向URI，并且
• 如第3.1.2节所述，提供其客户端重定向URI，并包括授权服务器所要求的任何其他信息（例如，应用程序名称、网站、描述、标识图像、法律条款的接受）。

2.1. Client Types

客户端类型

OAuth defines two client types, based on their ability to

authenticate securely with the authorization server (i.e., ability to

maintain the confidentiality of their client credentials):

　　OAuth根据客户与授权服务器安全认证的能力（即维护其客户证书保密性的能力），定义了两种客户类型。

confidential

Clients capable of maintaining the confidentiality of their

credentials (e.g., client implemented on a secure server with

restricted access to the client credentials), or capable of secure

client authentication using other means.

public

Clients incapable of maintaining the confidentiality of their

credentials (e.g., clients executing on the device used by the

resource owner, such as an installed native application or a web

browser-based application), and incapable of secure client

authentication via any other means.

保密的

能够维护其证书的保密性的客户（例如，在安全服务器上实施的客户，对客户证书的访问受到限制），或能够使用其他方式进行安全的客户认证。

公共的

没有能力维护其证书的保密性的客户（例如，在资源所有者使用的设备上执行的客户，如安装的本地应用程序或基于网络浏览器的应用程序），以及没有能力通过任何其他方式进行安全的客户认证。

The client type designation is based on the authorization server's

definition of secure authentication and its acceptable exposure

levels of client credentials. The authorization server SHOULD NOT

make assumptions about the client type.

　　客户端类型的指定是基于授权服务器对安全认证的定义及其可接受的客户凭证暴露水平。 授权服务器不应该对客户类型做出假设。

A client may be implemented as a distributed set of components, each

with a different client type and security context (e.g., a

distributed client with both a confidential server-based component

and a public browser-based component). If the authorization server

does not provide support for such clients or does not provide

guidance with regard to their registration, the client SHOULD

register each component as a separate client.

　　一个客户端可以被实现为一组分布式的组件，每个组件都有不同的客户端类型和安全环境（例如，一个分布式的客户端既有基于服务器的保密组件，又有基于浏览器的公共组件）。 如果授权服务器不支持这类客户端，或不提供有关其注册的指导，则客户端应将每个组件作为一个单独的客户端进行注册。

This specification has been designed around the following client

profiles:

　　本规范是围绕以下客户情况设计的。

web application

A web application is a confidential client running on a web

server. Resource owners access the client via an HTML user

interface rendered in a user-agent on the device used by the

resource owner. The client credentials as well as any access

token issued to the client are stored on the web server and are

not exposed to or accessible by the resource owner.

web应用程序

网络应用程序是一个运行在网络服务器上的保密客户端。 资源所有者通过资源所有者使用的设备上的用户代理渲染的HTML用户界面访问客户端。 客户端证书以及发给客户端的任何访问令牌都存储在网络服务器上，不会暴露给资源所有者，也不会被其访问。

user-agent-based application

A user-agent-based application is a public client in which the

client code is downloaded from a web server and executes within a

user-agent (e.g., web browser) on the device used by the resource

owner. Protocol data and credentials are easily accessible (and

often visible) to the resource owner. Since such applications

reside within the user-agent, they can make seamless use of the

user-agent capabilities when requesting authorization.

　　基于用户代理的应用程序

基于用户代理的应用程序是一个公共客户端，其中客户端代码从网络服务器下载，并在资源所有者使用的设备上的用户代理（如网络浏览器）中执行。 协议数据和证书对资源所有者来说很容易访问（而且往往是可见的）。 由于这类应用程序驻留在用户代理中，它们可以在请求授权时无缝利用用户代理的能力。

native application

A native application is a public client installed and executed on

the device used by the resource owner. Protocol data and

credentials are accessible to the resource owner. It is assumed

that any client authentication credentials included in the

application can be extracted. On the other hand, dynamically

issued credentials such as access tokens or refresh tokens can

receive an acceptable level of protection. At a minimum, these

credentials are protected from hostile servers with which the

application may interact. On some platforms, these credentials

might be protected from other applications residing on the same

device.

本地应用程序

本机应用程序是在资源所有者使用的设备上安装和执行的公共客户端。 协议数据和凭证可由资源所有者访问。 假设应用程序中包含的任何客户端认证凭证可以被提取。 另一方面，动态发布的凭证，如访问令牌或刷新令牌，可以获得可接受的保护水平。至少，这些凭证受到保护，不受应用程序可能与之交互的敌对服务器的影响。 在一些平台上，这些凭证可能会受到保护，不受驻扎在同一设备上的其他应用程序的影响。

2.2. Client Identifier

客户端标识

The authorization server issues the registered client a client

identifier -- a unique string representing the registration

information provided by the client. The client identifier is not a

secret; it is exposed to the resource owner and MUST NOT be used

alone for client authentication. The client identifier is unique to

the authorization server.

授权服务器向已注册的客户发出一个客户标识符--一个代表客户所提供的注册信息的唯一字符串。 客户端标识符不是一个秘密；它被暴露给资源所有者，并且不得单独用于客户认证。 客户端标识符对授权服务器来说是唯一的。

The client identifier string size is left undefined by this

specification. The client should avoid making assumptions about the

identifier size. The authorization server SHOULD document the size

of any identifier it issues.

客户端标识符字符串的大小在本规范中没有定义。 客户端应避免对标识符的大小做出假设。 授权服务器应该记录它发出的任何标识符的大小。

2.3. Client Authentication

客户端认证

If the client type is confidential, the client and authorization

server establish a client authentication method suitable for the

security requirements of the authorization server. The authorization

server MAY accept any form of client authentication meeting its

security requirements.

如果客户端类型是保密的，客户端和授权服务器建立一个适合授权服务器安全要求的客户认证方法。 授权服务器可以接受符合其安全要求的任何形式的客户认证。

Confidential clients are typically issued (or establish) a set of

client credentials used for authenticating with the authorization

server (e.g., password, public/private key pair).

保密客户通常会被发放（或建立）一套客户凭证，用于与授权服务器进行身份验证（如密码、公共/私人密钥对）。

The authorization server MAY establish a client authentication method

with public clients. However, the authorization server MUST NOT rely

on public client authentication for the purpose of identifying the

client.

授权服务器可以与公共客户建立一个客户认证方法。 然而，授权服务器决不能为了识别客户而依赖公共客户的认证。

The client MUST NOT use more than one authentication method in each

request.

客户端不得在每个请求中使用一个以上的认证方法。

2.3.1. Client Password

客户端密码

Clients in possession of a client password MAY use the HTTP Basic

authentication scheme as defined in [RFC2617] to authenticate with

the authorization server. The client identifier is encoded using the

"application/x-www-form-urlencoded" encoding algorithm per

Appendix B, and the encoded value is used as the username; the client

password is encoded using the same algorithm and used as the

password. The authorization server MUST support the HTTP Basic

authentication scheme for authenticating clients that were issued a

client password.

拥有客户密码的客户可以使用[RFC2617]中定义的HTTP Basic认证方案来与授权服务器进行认证。客户端标识符使用附录B中的 "application/x www-form-urlencoded "编码算法进行编码，并将编码值用作用户名；客户端密码使用相同的算法进行编码并用作密码。 授权服务器必须支持HTTP Basic认证方案，以验证被发出客户密码的客户。

For example (with extra line breaks for display purposes only):

例如（为显示目的，有额外的换行）。

Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3

Alternatively, the authorization server MAY support including the

client credentials in the request-body using the following

parameters:

另外，授权服务器可能支持使用以下参数将客户凭证包括在请求正文中。

client_id

REQUIRED. The client identifier issued to the client during

the registration process described by Section 2.2.

必需的。 在第2.2节所述的注册过程中向客户发出的客户标识符。

client_secret

REQUIRED. The client secret. The client MAY omit the

parameter if the client secret is an empty string.

必需的。 客户端密码。 如果客户密码是一个空字符串，客户可以省略该参数。

Including the client credentials in the request-body using the two

parameters is NOT RECOMMENDED and SHOULD be limited to clients unable

to directly utilize the HTTP Basic authentication scheme (or other

password-based HTTP authentication schemes). The parameters can only

be transmitted in the request-body and MUST NOT be included in the

request URI.

使用这两个参数在请求正文中包含客户证书是不推荐的，应该仅限于不能直接使用HTTP基本认证方案（或其他基于密码的HTTP认证方案）的客户。 这些参数只能在请求正文中传输，而不能包含在请求URI中。

For example, a request to refresh an access token (Section 6) using

the body parameters (with extra line breaks for display purposes

only):

例如，一个刷新访问令牌的请求（第6节），使用正文参数（为显示目的有额外的换行）。

POST /token HTTP/1.1

Host: server.example.com

Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA

&client_id=s6BhdRkqt3&client_secret=7Fjfp0ZBr1KtDRbnfVdmIw

The authorization server MUST require the use of TLS as described in

Section 1.6 when sending requests using password authentication.

当使用密码认证发送请求时，授权服务器必须要求使用第1.6节中描述的TLS。

Since this client authentication method involves a password, the

authorization server MUST protect any endpoint utilizing it against

brute force attacks.

由于这种客户认证方法涉及密码，授权服务器必须保护任何使用这种方法的端点免受暴力攻击。

2.3.2. Other Authentication Methods

其他认证方法

The authorization server MAY support any suitable HTTP authentication

scheme matching its security requirements. When using other

authentication methods, the authorization server MUST define a

mapping between the client identifier (registration record) and

authentication scheme.

授权服务器可以支持任何符合其安全要求的HTTP认证方案。 当使用其他认证方法时，授权服务器必须定义客户端标识（注册记录）和认证方案之间的映射。

2.4. Unregistered Clients

未注册的客户

This specification does not exclude the use of unregistered clients.

However, the use of such clients is beyond the scope of this

specification and requires additional security analysis and review of

its interoperability impact.

本规范不排除使用未注册的客户端。然而，这种客户端的使用超出了本规范的范围，需要额外的安全分析和对其互操作性影响的审查。