A web application which wants to gain access to shared resources should redirect the user to a page of the authorization server. When doing so, it informs the authorization server about the access rights it is requesting. This information, which is called Scope, is actually a list of identifiers separated by space characters which are often available as URLs in order to avoid naming conflicts and are given by the resource server.

Consequently, the authorization server asks the user, in his role as resource owner, for authentication (e.g. by providing the username and password). Subsequently, the user can either grant or reject the client’s request. The authorization server then redirects the user to the client and passes the user's decision to the client using a URL parameter. If the user has granted the request, the query string contains a code which the client can exchange for a security token. When doing so, the client provides authentication details to the authorization server. Mostly this is also done by giving the username and password.

The token received this way may then be used by the client to gain access to the desired resources via the resource server. Once it has received the token, the resource server must verify its validity and check if it was indeed provided by the named authorization server. Validity can be checked using the expiry date contained within the token and the latter may be done by verifying other evidence which is also embedded in the token. Such evidence may, for example, be a digital signature or an HMAC. If such cryptographic proceedings are to be avoided, there is also the possibility of the resource server contacting the authorization server to confirm the validity of the token.

The token may contain information about the user which might be used by the resource server to verify rights. Alternatively, the token may simply be a key which the resource server may exchange for user-related data when contacting the authorization server.

OAuth:Access to shared resources via web applications的更多相关文章

  1. ASP.NET Web API与Owin OAuth:调用与用户相关的Web API

    在前一篇博文中,我们通过以 OAuth 的 Client Credential Grant 授权方式(只验证调用客户端,不验证登录用户)拿到的 Access Token ,成功调用了与用户无关的 We ...

  2. ASP.NET OAuth:access token的加密解密,client secret与refresh token的生成

    在 ASP.NET OWIN OAuth(Microsoft.Owin.Security.OAuth)中,access token 的默认加密方法是: 1) System.Security.Crypt ...

  3. ASP.NET Web API与Owin OAuth:调用与用户相关的Web API(非第三方登录)

    授权完成添加属性 ClaimsIdentity oAuthIdentity = await CreateAsync(user/*userManager*/, OAuthDefaults.Authent ...

  4. ASP.NET Web API与Owin OAuth:使用Access Toke调用受保护的API

    在前一篇博文中,我们使用OAuth的Client Credential Grant授权方式,在服务端通过CNBlogsAuthorizationServerProvider(Authorization ...

  5. 『翻译』Access USB Devices on the Web

    https://developers.google.com/web/updates/2016/03/access-usb-devices-on-the-web Access USB Devices o ...

  6. ASP.NET OWIN OAuth:遇到的2个refresh token问题

    之前写过2篇关于refresh token的生成与持久化的博文:1)Web API与OAuth:既生access token,何生refresh token:2)ASP.NET OWIN OAuth: ...

  7. OAuth:OAuth概述

    OAuth addresses these issues by introducing an authorization layer and separating the role of the cl ...

  8. OAuth:每次授权暗中保护你的那个“MAN”

    摘要:OAuth是一种授权协议,允许用户在不将账号口令泄露给第三方应用的前提下,使第三方应用可以获得用户在某个web服务上存放资源的访问权限. 背景 在传统模式下,用户的客户端在访问某个web服务提供 ...

  9. MYSQL问题解决方案:Access denied for user 'root'@'localhost' (using password:YES)

    这两天在MyEclipse中开发Web项目时,连接MYSQL数据库,出现问题:Access denied for user 'root'@'localhost' (using password:YES ...

随机推荐

  1. LeetCode(21):合并两个有序链表

    Easy! 题目描述: 将两个有序链表合并为一个新的有序链表并返回.新链表是通过拼接给定的两个链表的所有节点组成的. 示例: 输入:1->2->4, 1->3->4 输出:1- ...

  2. LeetCode(19):删除链表的倒数第N个节点

    Medium! 题目描述: 给定一个链表,删除链表的倒数第 n 个节点,并且返回链表的头结点. 示例: 给定一个链表: 1->2->3->4->5, 和 n = 2. 当删除了 ...

  3. LeetCode(18):四数之和

    Medium! 题目描述: 给定一个包含 n 个整数的数组 nums 和一个目标值 target,判断 nums 中是否存在四个元素 a,b,c 和 d ,使得 a + b + c + d 的值与 t ...

  4. Zookeeper命令行zkCli.sh&zkServer.sh的使用(四)

    上篇博文,我们成功的安装和启动了zookeeper服务器,zookeeper还提供了很多方便的功能,方便我们查看服务器的状态,增加,修改,删除数据(入口是zkServer.sh和zkCli.sh).还 ...

  5. 20165330《网络对抗技术》Exp0 Kali安装

    Kali安装 下载地址 Kali官网 VMware 安装步骤 参考在虚拟机中安装kali linux 安装Kali Linux的镜像和VMware 打开VMware,选择文件-新建虚拟机,出现对话框选 ...

  6. 浏览器Quirksmode(怪异模式)与CSS1compat

    在js中如何判断当前浏览器正在以何种方式解析?   document对象有个属性compatMode ,它有两个值: BackCompat     对应quirks modeCSS1Compat   ...

  7. 数学之美——HMM模型(一)介绍

    一直想写点关于数学方面的blog,这对于数据挖掘分析,NLP处理等都有着比较重要的作用,之前在CSDN上想写点HMM方面的文章,一直没写成,最近几天终于抽点时间完成了HMM的文章,加以整理,遂有这个系 ...

  8. 【BZOJ】4561: [JLoi2016]圆的异或并

    题解 我们把圆拆成两个圆弧,按照圆弧的左右端点排序来增加和删除 那么我们把圆弧按照纵坐标排序,一定是两两不相交的 我们新加入一个圆的时候,找上圆弧的前驱,如果前驱是一个上圆弧,那么这个上圆弧所在的圆就 ...

  9. homestead 无法被局域网其他电脑局域网访问解决办法

    修改(该文件就是通过git下载的homestead文件夹中的文件) homestead/scripts/homestead.rb   # Configure A Private Network IP ...

  10. CSS transform中的rotate的旋转中心怎么设置

    transform-origin属性 默认情况,变形的原点在元素的中心点,或者是元素X轴和Y轴的50%处.我们没有使用transform-origin改变元素原点位置的情况下,CSS变形进行的旋转.移 ...