Authorization server

The following data elements are stored or accessible on the authorization server:

  • usernames and passwords
  • client ids and secrets
  • client-specific refresh tokens
  • client-specific access tokens
  • HTTPS certificate/key
  • per-authorization process: "redirect_uri", "client_id", authorization "code"

Resource server

The following data elements are stored or accessible on the resource server:

  • user data (out of scope)
  • HTTPS certificate/key
  • either authorization server credentials or authorization server shared secret/public key
  • access tokens (per request)

It is assumed that a resource server has no knowledge of refresh tokens, user passwords, or client secrets.

Client

The following data elements are stored or accessible on the client:

  • client id (and client secret or corresponding client credential)

  • one or more refresh tokens (persistent) and access tokens
    (transient) per end user or other security-context or delegation
    context

  • trusted certification authority (CA) certificates (HTTPS)
  • per-authorization process: "redirect_uri", authorization "code"

bearer token

A ’bearer token’ is a token that can be used by any client who has received the token (e.g., [RFC6750]). Because mere possession is enough to use the token, it is important that communication between endpoints be secured to ensure that only authorized endpoints may capture the token. The bearer token is convenient for client applications, as it does not require them to do anything to use them (such as a proof of identity). Bearer tokens have similar characteristics to web single-sign-on (SSO)
cookies used in browsers.

proof token

A ’proof token’ is a token that can only be used by a specific client. Each use of the token requires the client to perform some action that proves that it is the authorized user of the token. Examples of this are MAC-type access tokens, which require the client to digitally sign the resource request with a secret corresponding to the particular token sent with the request.

OAuth 2.0 Threat Model and Security Considerations (rfc6819)的更多相关文章

  1. The OAuth 2.0 Authorization Framework-摘自https://tools.ietf.org/html/rfc6749

                                                                                  Internet Engineering T ...

  2. OAuth 2.0 Authorization Framework RFC

    Internet Engineering Task Force (IETF) D. Hardt, Ed.Request for Comments: 6749 MicrosoftObsoletes: 5 ...

  3. The OAuth 2.0 Authorization Framework

      The OAuth 2.0 Authorization Framework Abstract The OAuth 2.0 authorization framework enables a thi ...

  4. OAuth 2.0 授权码请求

    关于OAuth 2.0,请参见下面这两篇文章(墙裂推荐): <OAuth 2.0> <Spring Security OAuth 2.0> 纸上得来终觉浅,绝知此事要躬行.理论 ...

  5. Spring Security OAuth 2.0

    续·前一篇<OAuth 2.0> OAuth 2.0 Provider 实现 在OAuth 2.0中,provider角色事实上是把授权服务和资源服务分开,有时候它们也可能在同一个应用中, ...

  6. Spring Security OAuth 2.0 发放令牌接口地址自定义

    OAuth 2.0 如何获取令牌 以密码模式为例,获取 Token curl --location --request POST 'http://oauth-server/oauth/token' \ ...

  7. OAuth 2.0 认证的原理与实践

    摘要: 使用 OAuth 2.0 认证的的好处是显然易见的.你只需要用同一个账号密码,就能在各个网站进行访问,而免去了在每个网站都进行注册的繁琐过程. 本文将介绍 OAuth 2.0 的原理,并基于 ...

  8. 使用 spring-security-oauth2 体验 OAuth 2.0 的四种授权模式

    目录 背景 相关代码 授权码模式 第一步 访问GET /oauth/authorize 第二步 访问POST /oauth/authorize 第三步 访问POST /oauth/token 简化模式 ...

  9. ASP.NET WebApi OWIN 实现 OAuth 2.0

    OAuth(开放授权)是一个开放标准,允许用户让第三方应用访问该用户在某一网站上存储的私密的资源(如照片,视频,联系人列表),而无需将用户名和密码提供给第三方应用. OAuth 允许用户提供一个令牌, ...

随机推荐

  1. javascript属性标签

  2. chadang saidui

    http://www.freehacktools.com/   wen http://www.hackyshacky.com/2013/02/Must-have-hacking-tools.html  ...

  3. Javascirpt中创建对象的几种方式

    js是一种动态语言,即js的对象创建好之后可以随意修改,因此JS对象的面向对象编程部分更可以说是通过JS的怪异特性来模拟Java这类的面向对象编程的.下面首先讨论几种创建对象的方式: 1. 工厂模式创 ...

  4. Metro Win8风格的按钮(Filp翻转)

    原地址->http://www.cnblogs.com/yk250/p/5661093.html 介绍:简约而不简单....颜色可随意调制,最好用Blend工具. 效果图如下:话说这个图会不会太 ...

  5. 九、数据库——sql server 2008导入excel

    昨天分配给我一个活,让我手动录入新闻网页的数据,包括每条新闻的标题.时间和链接. 一开始,就是按照最原始的手动录入的方法,一条条的录入.发现这简直就是在浪费时间,于是就想了一种新方法. 1.将网页中的 ...

  6. Node Server管理

    停止服务 Ctrl+Z暂停 Ctrl+C: kill it 先找到process ID (second from the left), 再kill it:$ ps axu | grep node$ k ...

  7. Object-C 中各数据类型转换 NSData转NSString,Byte,UIImage

    1,NSData 与 NSString NSData --> NSString NSString *aString = [[NSString alloc] initWithData:adata ...

  8. 关于ckeditor ajax提交到后台 问题

    ckeditor 提交时 如果有带有html时是提交不了的 解决办法就是 你在提交的时候 将ckeditor获取的只编码(encodeURI) 然后在传到后台提交的时候 在解码 就ok了 ckname ...

  9. nodejs在同一台服务器上部署并同时运行两个或以上服务端时,一个服务用户登录后会挤掉另一个用户的问题

    问题描述:一台服务器,部署了两个或以上不同的Web服务,服务A的用户在登陆后,服务B的用户也登陆,此时服务A的用户在点击页面时,会返回登陆页面. 问题根源:浏览器保存的session相同,即cooki ...

  10. Linux下apache+phppgadmin安装配置

    1.安装pg 安装PostgreSQL数据库 修改pg_hba.conf配置文件,使得数据库可以通过外部访问. 具体可以配置为: # TYPE DATABASE USER ADDRESS METHOD ...