Authorization server

The following data elements are stored or accessible on the authorization server:

  • usernames and passwords
  • client ids and secrets
  • client-specific refresh tokens
  • client-specific access tokens
  • HTTPS certificate/key
  • per-authorization process: "redirect_uri", "client_id", authorization "code"

Resource server

The following data elements are stored or accessible on the resource server:

  • user data (out of scope)
  • HTTPS certificate/key
  • either authorization server credentials or authorization server shared secret/public key
  • access tokens (per request)

It is assumed that a resource server has no knowledge of refresh tokens, user passwords, or client secrets.

Client

The following data elements are stored or accessible on the client:

  • client id (and client secret or corresponding client credential)
  • one or more refresh tokens (persistent) and access tokens
    (transient) per end user or other security-context or delegation
    context

  • trusted certification authority (CA) certificates (HTTPS)
  • per-authorization process: "redirect_uri", authorization "code"

bearer token

A ’bearer token’ is a token that can be used by any client who has received the token (e.g., [RFC6750]). Because mere possession is enough to use the token, it is important that communication between endpoints be secured to ensure that only authorized endpoints may capture the token. The bearer token is convenient for client applications, as it does not require them to do anything to use them (such as a proof of identity). Bearer tokens have similar characteristics to web single-sign-on (SSO)
cookies used in browsers.

proof token

A ’proof token’ is a token that can only be used by a specific client. Each use of the token requires the client to perform some action that proves that it is the authorized user of the token. Examples of this are MAC-type access tokens, which require the client to digitally sign the resource request with a secret corresponding to the particular token sent with the request.

OAuth 2.0 Threat Model and Security Considerations (rfc6819)的更多相关文章

  1. The OAuth 2.0 Authorization Framework-摘自https://tools.ietf.org/html/rfc6749

                                                                                  Internet Engineering T ...

  2. OAuth 2.0 Authorization Framework RFC

    Internet Engineering Task Force (IETF) D. Hardt, Ed.Request for Comments: 6749 MicrosoftObsoletes: 5 ...

  3. The OAuth 2.0 Authorization Framework

      The OAuth 2.0 Authorization Framework Abstract The OAuth 2.0 authorization framework enables a thi ...

  4. OAuth 2.0 授权码请求

    关于OAuth 2.0,请参见下面这两篇文章(墙裂推荐): <OAuth 2.0> <Spring Security OAuth 2.0> 纸上得来终觉浅,绝知此事要躬行.理论 ...

  5. Spring Security OAuth 2.0

    续·前一篇<OAuth 2.0> OAuth 2.0 Provider 实现 在OAuth 2.0中,provider角色事实上是把授权服务和资源服务分开,有时候它们也可能在同一个应用中, ...

  6. Spring Security OAuth 2.0 发放令牌接口地址自定义

    OAuth 2.0 如何获取令牌 以密码模式为例,获取 Token curl --location --request POST 'http://oauth-server/oauth/token' \ ...

  7. OAuth 2.0 认证的原理与实践

    摘要: 使用 OAuth 2.0 认证的的好处是显然易见的.你只需要用同一个账号密码,就能在各个网站进行访问,而免去了在每个网站都进行注册的繁琐过程. 本文将介绍 OAuth 2.0 的原理,并基于 ...

  8. 使用 spring-security-oauth2 体验 OAuth 2.0 的四种授权模式

    目录 背景 相关代码 授权码模式 第一步 访问GET /oauth/authorize 第二步 访问POST /oauth/authorize 第三步 访问POST /oauth/token 简化模式 ...

  9. ASP.NET WebApi OWIN 实现 OAuth 2.0

    OAuth(开放授权)是一个开放标准,允许用户让第三方应用访问该用户在某一网站上存储的私密的资源(如照片,视频,联系人列表),而无需将用户名和密码提供给第三方应用. OAuth 允许用户提供一个令牌, ...

随机推荐

  1. Linux下的shell编程(三)BY 四喜三顺

    正则表达式:-------------------------------------------------------------------------------------------^   ...

  2. AE开发示例之GPBufferLayer

    using System; using System.Drawing;using System.Text;using System.Windows.Forms;using System.Runtime ...

  3. 2.4 ARM寻址方式

    所谓的寻址方式就是处理器指令中给出的信息来找到指令所需要的操作数的方式 1. 立即数寻址 立即数寻址,是一种特殊的寻址方式,操作数本身就在指令中给出,只要取出指令也就取到了操作数,这个操作数被称为立即 ...

  4. xml 配置文件规范 校验

    背景:做的数据同步框架,数据同步种类通过xml配置文件添加.为了系统的稳定性,我们只能认为将来写这个运行配置xml的人是一个傻瓜,那么对xml格式校验就很重要. 通过dom4j,是可以完成对xml格式 ...

  5. jquery 上传回显图片预览

    /******************************************************************************* * 异步上传文件,兼容IE8,火狐和谷 ...

  6. ubuntu12.04 gitlab搭建

    最近在尝试内部搭建gitlab,wiki这些工具...我使用的官网的gitlab-ce包一键安装,自己搭建的ubuntu12.04 server服务器. 分配253地址,放在办公室的小角落. 配置过程 ...

  7. 关于Hibernate XXX is not mapped 错误

    我的实体类是这么配置的 @Entity(name="EntityName")  //必须,name为可选,对应数据库中一的个表 就会出现 XXX is not mapped.   ...

  8. linux pam 控制模式

    工作类别(type).流程栈(stack)和控制模式(control) Linux-PAM 工作的"类别"(type) PAM 的具体工作主要有以下四种类别(type):accou ...

  9. 【转】sql server获取数据库名,表明,表结构

    1.查询数据库中的所有数据库名: SELECT Name FROM Master..SysDatabases ORDER BY Name 2.查询某个数据库中所有的表名: SELECT Name FR ...

  10. 一张图说懂java中 private default protected public 的区别

    private:修饰完全隐藏类的成员,这样,就不能从类的外边直接访问他们,我们提供set和get方法,保证类中数据域的安全. default:指默认修饰符,什么都不加,实际上它限制的范围就是一个包内可 ...