A web application which wants to gain access to shared resources should redirect the user to a page of the authorization server. When doing so, it informs the authorization server about the access rights it is requesting. This information, which is called Scope, is actually a list of identifiers separated by space characters which are often available as URLs in order to avoid naming conflicts and are given by the resource server.

Consequently, the authorization server asks the user, in his role as resource owner, for authentication (e.g. by providing the username and password). Subsequently, the user can either grant or reject the client’s request. The authorization server then redirects the user to the client and passes the user's decision to the client using a URL parameter. If the user has granted the request, the query string contains a code which the client can exchange for a security token. When doing so, the client provides authentication details to the authorization server. Mostly this is also done by giving the username and password.

The token received this way may then be used by the client to gain access to the desired resources via the resource server. Once it has received the token, the resource server must verify its validity and check if it was indeed provided by the named authorization server. Validity can be checked using the expiry date contained within the token and the latter may be done by verifying other evidence which is also embedded in the token. Such evidence may, for example, be a digital signature or an HMAC. If such cryptographic proceedings are to be avoided, there is also the possibility of the resource server contacting the authorization server to confirm the validity of the token.

The token may contain information about the user which might be used by the resource server to verify rights. Alternatively, the token may simply be a key which the resource server may exchange for user-related data when contacting the authorization server.

OAuth:Access to shared resources via web applications的更多相关文章

  1. ASP.NET Web API与Owin OAuth:调用与用户相关的Web API

    在前一篇博文中,我们通过以 OAuth 的 Client Credential Grant 授权方式(只验证调用客户端,不验证登录用户)拿到的 Access Token ,成功调用了与用户无关的 We ...

  2. ASP.NET OAuth:access token的加密解密,client secret与refresh token的生成

    在 ASP.NET OWIN OAuth(Microsoft.Owin.Security.OAuth)中,access token 的默认加密方法是: 1) System.Security.Crypt ...

  3. ASP.NET Web API与Owin OAuth:调用与用户相关的Web API(非第三方登录)

    授权完成添加属性 ClaimsIdentity oAuthIdentity = await CreateAsync(user/*userManager*/, OAuthDefaults.Authent ...

  4. ASP.NET Web API与Owin OAuth:使用Access Toke调用受保护的API

    在前一篇博文中,我们使用OAuth的Client Credential Grant授权方式,在服务端通过CNBlogsAuthorizationServerProvider(Authorization ...

  5. 『翻译』Access USB Devices on the Web

    https://developers.google.com/web/updates/2016/03/access-usb-devices-on-the-web Access USB Devices o ...

  6. ASP.NET OWIN OAuth:遇到的2个refresh token问题

    之前写过2篇关于refresh token的生成与持久化的博文:1)Web API与OAuth:既生access token,何生refresh token:2)ASP.NET OWIN OAuth: ...

  7. OAuth:OAuth概述

    OAuth addresses these issues by introducing an authorization layer and separating the role of the cl ...

  8. OAuth:每次授权暗中保护你的那个“MAN”

    摘要:OAuth是一种授权协议,允许用户在不将账号口令泄露给第三方应用的前提下,使第三方应用可以获得用户在某个web服务上存放资源的访问权限. 背景 在传统模式下,用户的客户端在访问某个web服务提供 ...

  9. MYSQL问题解决方案:Access denied for user 'root'@'localhost' (using password:YES)

    这两天在MyEclipse中开发Web项目时,连接MYSQL数据库,出现问题:Access denied for user 'root'@'localhost' (using password:YES ...

随机推荐

  1. linux 环境变量设置方法总结(PATH / LD_LIBRARY_PATH)

    PATH和LD_LIBRARY_PATH本质都是变量,所谓变量的意思就是由别人赋值产生的,直觉往往会让我们添加和减少这个变量本身的某些路径,实际上这是不正确的.正确的做法是我们要去修改赋予这个变量数值 ...

  2. KnockoutJs学习笔记(十一)

    enable binding往往作用于form elements,比如input.select和textarea等.包含enable binding的DOM元素会依照enable binding参数的 ...

  3. CEF 中的那些坑

    CEF (Chromium Embedded Framework) 的大名也听说很久了,最近因为客户的需求,简单地研究了一下.结果遇到了一个接一个的坑,且慢慢道来.比之前用QtWebkit的坑还要多和 ...

  4. 如果django里的视图是类(CBV),应该如何写Url的测试用例?

    晚上回家测试了很多方式,都不行. 网上搜索找不到答案, 最后还是官方文档最抵用呢. https://docs.djangoproject.com/en/2.1/topics/testing/tools ...

  5. #JS 前端javascript规范文档

    一.规范目的 为提高团队协作效率,便于前端后期优化维护,输出高质量的文档. 二.基本准则 符合web标准,结构表现行为分离,兼容性优良.页面性能方面,代码要求简洁明了有序, 尽可能的减小服务器负载,保 ...

  6. 从 prototype.js 深入学习 javascript 的面向对象特性

    从 prototype.js 深入学习 javascript 的面向对象特性 js是一门很强大的语言,灵活,方便. 目前我接触到的语言当中,从语法角度上讲,只有 Ruby 比它更爽. 不过我接触的动态 ...

  7. 【LOJ】#2493. 「BJOI2018」染色

    题面 题解 推结论大题--然而我推不出什么结论 奇环显然是NO 如果一个联通块里有两个分离的环,也是NO 如果一个联通块里,点数为n,边数为m m <= n的时候,是YES m >= n ...

  8. 【LOJ】#2122. 「HEOI2015」小 Z 的房间

    题解 又是一道取模不给质数的毒瘤矩阵树题 不会写分数类--然后发现了网上过于神仙的题解类似与辗转相除的这样把某一个位置消成0 orz 代码 #include <bits/stdc++.h> ...

  9. zabbix 自动发现

    转自:https://blog.csdn.net/yyy72999/article/details/76065374 zabbix自动发现/zabbix自动发现规则 置顶2017年07月25日 14: ...

  10. P1736 创意吃鱼法 图的DP

    题目描述 回到家中的猫猫把三桶鱼全部转移到了她那长方形大池子中,然后开始思考:到底要以何种方法吃鱼呢(猫猫就是这么可爱,吃鱼也要想好吃法 ^_*).她发现,把大池子视为01矩阵(0表示对应位置无鱼,1 ...