OAuth 2.0 Threat Model and Security Considerations (rfc6819)
Authorization server
The following data elements are stored or accessible on the authorization server:
- usernames and passwords
- client ids and secrets
- client-specific refresh tokens
- client-specific access tokens
- HTTPS certificate/key
- per-authorization process: "redirect_uri", "client_id", authorization "code"
Resource server
The following data elements are stored or accessible on the resource server:
- user data (out of scope)
- HTTPS certificate/key
- either authorization server credentials or authorization server shared secret/public key
- access tokens (per request)
It is assumed that a resource server has no knowledge of refresh tokens, user passwords, or client secrets.
Client
The following data elements are stored or accessible on the client:
- client id (and client secret or corresponding client credential)
one or more refresh tokens (persistent) and access tokens
(transient) per end user or other security-context or delegation
context- trusted certification authority (CA) certificates (HTTPS)
- per-authorization process: "redirect_uri", authorization "code"
bearer token
A ’bearer token’ is a token that can be used by any client who has received the token (e.g., [RFC6750]). Because mere possession is enough to use the token, it is important that communication between endpoints be secured to ensure that only authorized endpoints may capture the token. The bearer token is convenient for client applications, as it does not require them to do anything to use them (such as a proof of identity). Bearer tokens have similar characteristics to web single-sign-on (SSO)
cookies used in browsers.
proof token
A ’proof token’ is a token that can only be used by a specific client. Each use of the token requires the client to perform some action that proves that it is the authorized user of the token. Examples of this are MAC-type access tokens, which require the client to digitally sign the resource request with a secret corresponding to the particular token sent with the request.
OAuth 2.0 Threat Model and Security Considerations (rfc6819)的更多相关文章
- The OAuth 2.0 Authorization Framework-摘自https://tools.ietf.org/html/rfc6749
Internet Engineering T ...
- OAuth 2.0 Authorization Framework RFC
Internet Engineering Task Force (IETF) D. Hardt, Ed.Request for Comments: 6749 MicrosoftObsoletes: 5 ...
- The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization Framework Abstract The OAuth 2.0 authorization framework enables a thi ...
- OAuth 2.0 授权码请求
关于OAuth 2.0,请参见下面这两篇文章(墙裂推荐): <OAuth 2.0> <Spring Security OAuth 2.0> 纸上得来终觉浅,绝知此事要躬行.理论 ...
- Spring Security OAuth 2.0
续·前一篇<OAuth 2.0> OAuth 2.0 Provider 实现 在OAuth 2.0中,provider角色事实上是把授权服务和资源服务分开,有时候它们也可能在同一个应用中, ...
- Spring Security OAuth 2.0 发放令牌接口地址自定义
OAuth 2.0 如何获取令牌 以密码模式为例,获取 Token curl --location --request POST 'http://oauth-server/oauth/token' \ ...
- OAuth 2.0 认证的原理与实践
摘要: 使用 OAuth 2.0 认证的的好处是显然易见的.你只需要用同一个账号密码,就能在各个网站进行访问,而免去了在每个网站都进行注册的繁琐过程. 本文将介绍 OAuth 2.0 的原理,并基于 ...
- 使用 spring-security-oauth2 体验 OAuth 2.0 的四种授权模式
目录 背景 相关代码 授权码模式 第一步 访问GET /oauth/authorize 第二步 访问POST /oauth/authorize 第三步 访问POST /oauth/token 简化模式 ...
- ASP.NET WebApi OWIN 实现 OAuth 2.0
OAuth(开放授权)是一个开放标准,允许用户让第三方应用访问该用户在某一网站上存储的私密的资源(如照片,视频,联系人列表),而无需将用户名和密码提供给第三方应用. OAuth 允许用户提供一个令牌, ...
随机推荐
- SQL归档
/* 作用:归档3个月前的短信发送记录 创建人:zhuxiang 日期:2012-10-30 */ ALTER Proc [dbo].[Sms_Job_History_Send] As Begin D ...
- W5200移植W5500驱动教程
说明,移植例程为我按照这个教程移植的例程,测试通过.工程模板为我经常使用的一个w5500模板,可以在里面直接添加文件编程.1. 将driver文件夹中W5500文件夹和所有.c文件复制到工程/sour ...
- linux svn hooks代码自动更新至项目
由于开发移动端web,ui需要及时看到样式变化,所以通过svn hooks(钩子)来提交文件,然后再把文件同步到测试服务器项目目录,步骤如下: 1.进入 /home/svn/cmall/hooks ( ...
- 汇编初入门debug实操
修改cs:ip的值 jmp 段地址:偏移地址 //在汇编指令中用,不是在debug上用的 如 jmp 2AE3:3 //执行后CS=2AE3H ip=0003H 若只修改IP内容 jmp 某一个合法的 ...
- php类型的相关函数,运算符,条件判断,循环
类型的相关函数 函数的原型 :函数返回值类型 函数名(参数1类型 参数1,参数2类型 参数2--) 1, 任何一个函数,都要考虑它是否有返回值以及该返回值的类型,如果该函数没有返回值,就用void来 ...
- webstorm编辑RN代码提示功能
需要下载一个文件. 1. 进入你想存储这个文件的目录,按住shift+鼠标右键,选择“在此处打开命令窗口” 2. 在命令窗口中输入 git clone https://github.com/virt ...
- VS 设置编译后的程序可以以管理员身份运行
1.首先,创建一个文件命名为 XXX.exe.manifest, 并将以下内容复制到文件 <?xml version="1.0" encoding="UTF-8&q ...
- 跨域访问CORS
由于现代浏览器的同源策略,合理的跨域请求也变得至关重要. CORS(Cross-Origin Resource Sharing,跨域资源共享)定义了在必须访问跨域资源时,浏览器与服务器应该如何沟通.它 ...
- js对象常用2中构造方法
//js 对象的构造方法通常有2中情况: //第一种是通过json对象构造 var persion={ name:"孙悟空", age:40, eat:function () { ...
- Python字符串的encode与decode研究心得乱码问题解决方法
为什么Python使用过程中会出现各式各样的乱码问题,明明是中文字符却显示成“\xe4\xb8\xad\xe6\x96\x87”的形式? 为什么会报错“UnicodeEncodeError: 'asc ...