是的，你是对的。如果您无法通过授权服务器进行身份验证（即传递客户端ID和密码），那么您将只获得一个短期访问令牌。

Yes you are right. If you cannot authenticate with the Authorisation server (i.e. pass client ID and secret) then you will only get a short-lived access token.

因为Angular代码在客户端上保密客户是不安全的。因此，您无法将您的客户端密钥传递给Auth服务器，因此您无法进行身份验证。

As Angular code is on the client it would be insecure for it to hold your client secret. Therefore you can not pass your client secret to the Auth server, so you can not authenticate.

此外，您的服务器代码不会只存储令牌，它会被期望托管一个端点，该端点接受授权代码，然后使用该代码（和您的客户端凭证）调用Auth服务器以获取令牌和刷新令牌。

Also your server code would not just store a token, it would be expected to host an endpoint which would accept an auth code and then call the Auth server with that code (and your client credentials) to get a token and refresh token.

在用户成功登录并允许用户授予对您应用的访问权限后，auth代码将通过来自auth服务器的呼叫通过http重定向提供给您的服务器端点。

The auth code would be supplied to your server endpoint via a call from the auth server via an http redirect following successful user login and user granting access to your app.