Principal: A user who gains access to the application is called a principal. It does not have to be a real user, it can be an external system like a backend or frontend application, or a mobile application. Principal 不一定是一个真实的用户,也可以是来自外部系统的后台或者前台应用,或者是一个移动应用。
Authentication means checking provided credentials. If credentials are valid, then the proper roles are assigned to a principal.
Authentication - 认证,意思是检查principal提供的credentails,如果有效,就颁发对应的role给principal.
Authorization: means deciding if a principal can perform a given action. 决定一个principal是否能够执行某项操作。
参与OAuth认证的principal,可以分配不同的role:
Anonymous:A non-authenticated principal is assigned a built-in ANONYMOUS role by default. 默认的role
Clients:Every client application that was authenticated using an OAuth2 token in the client credentials flow is assigned a specific role depending on the client definition.
每个使用OAuth 2 token 参与client credentials flow认证的客户端应用,都分配一个Clients role.
ROLE_CLIENT 或者 ROLE_TRUSTED_CLIENT,允许客户端使用 ycommercewebservices extension.
Customers: Users who were authenticated using the OAuth2 token in the password flow, are assigned a list of roles that are received from a service layer in the same way as it works in the whole application.
By default, CUSTOMERGROUP and CUSTOMERMANAGERGROUP roles are used.
Guests: Anonymous users who provided their own e-mail address. It can be done by calling /customers/current/guestlogin in v1 or /users/anonymous/carts/{guid}/email in v2.
For such users, a built-in GUEST role is assigned.