A web application which wants to gain access to shared resources should redirect the user to a page of the authorization server. When doing so, it informs the authorization server about the access rights it is requesting. This information, which is called Scope, is actually a list of identifiers separated by space characters which are often available as URLs in order to avoid naming conflicts and are given by the resource server.

Consequently, the authorization server asks the user, in his role as resource owner, for authentication (e.g. by providing the username and password). Subsequently, the user can either grant or reject the client’s request. The authorization server then redirects the user to the client and passes the user's decision to the client using a URL parameter. If the user has granted the request, the query string contains a code which the client can exchange for a security token. When doing so, the client provides authentication details to the authorization server. Mostly this is also done by giving the username and password.

The token received this way may then be used by the client to gain access to the desired resources via the resource server. Once it has received the token, the resource server must verify its validity and check if it was indeed provided by the named authorization server. Validity can be checked using the expiry date contained within the token and the latter may be done by verifying other evidence which is also embedded in the token. Such evidence may, for example, be a digital signature or an HMAC. If such cryptographic proceedings are to be avoided, there is also the possibility of the resource server contacting the authorization server to confirm the validity of the token.

The token may contain information about the user which might be used by the resource server to verify rights. Alternatively, the token may simply be a key which the resource server may exchange for user-related data when contacting the authorization server.

OAuth:Access to shared resources via web applications的更多相关文章

  1. ASP.NET Web API与Owin OAuth:调用与用户相关的Web API

    在前一篇博文中,我们通过以 OAuth 的 Client Credential Grant 授权方式(只验证调用客户端,不验证登录用户)拿到的 Access Token ,成功调用了与用户无关的 We ...

  2. ASP.NET OAuth:access token的加密解密,client secret与refresh token的生成

    在 ASP.NET OWIN OAuth(Microsoft.Owin.Security.OAuth)中,access token 的默认加密方法是: 1) System.Security.Crypt ...

  3. ASP.NET Web API与Owin OAuth:调用与用户相关的Web API(非第三方登录)

    授权完成添加属性 ClaimsIdentity oAuthIdentity = await CreateAsync(user/*userManager*/, OAuthDefaults.Authent ...

  4. ASP.NET Web API与Owin OAuth:使用Access Toke调用受保护的API

    在前一篇博文中,我们使用OAuth的Client Credential Grant授权方式,在服务端通过CNBlogsAuthorizationServerProvider(Authorization ...

  5. 『翻译』Access USB Devices on the Web

    https://developers.google.com/web/updates/2016/03/access-usb-devices-on-the-web Access USB Devices o ...

  6. ASP.NET OWIN OAuth:遇到的2个refresh token问题

    之前写过2篇关于refresh token的生成与持久化的博文:1)Web API与OAuth:既生access token,何生refresh token:2)ASP.NET OWIN OAuth: ...

  7. OAuth:OAuth概述

    OAuth addresses these issues by introducing an authorization layer and separating the role of the cl ...

  8. OAuth:每次授权暗中保护你的那个“MAN”

    摘要:OAuth是一种授权协议,允许用户在不将账号口令泄露给第三方应用的前提下,使第三方应用可以获得用户在某个web服务上存放资源的访问权限. 背景 在传统模式下,用户的客户端在访问某个web服务提供 ...

  9. MYSQL问题解决方案:Access denied for user 'root'@'localhost' (using password:YES)

    这两天在MyEclipse中开发Web项目时,连接MYSQL数据库,出现问题:Access denied for user 'root'@'localhost' (using password:YES ...

随机推荐

  1. node.js开发web

    1.安装express框架 使用npm install -g express安装express后,在命令行中执行express,提示没有此命令 原因是在新版的express中命令行需要单独安装 npm ...

  2. mysql添加事件

    begin declare debug int; set @debug = 0; if @debug = 1 then insert into task_monitor(info) values('s ...

  3. Dynamic Rankings || 动态/静态区间第k小(主席树)

    JYF大佬说,一星期要写很多篇博客才会有人看 但是我做题没有那么快啊QwQ Part1 写在前面 区间第K小问题一直是主席树经典题=w=今天的重点是动态区间第K小问题.静态问题要求查询一个区间内的第k ...

  4. 【笔试题】在 Java 中,如何跳出当前的多重嵌套循环?

    笔试题 在 Java 中,如何跳出当前的多重嵌套循环? public class Demo { public static void main(String[] args) { System.out. ...

  5. 【Java】 大话数据结构(3) 线性表之静态链表

    本文根据<大话数据结构>一书,实现了Java版的静态链表. 用数组描述的链表,称为静态链表. 数组元素由两个数据域data和cur组成:data存放数据元素:cur相当于单链表中的next ...

  6. JAVA 传递

    其实java里面都是传值,只不过基本数据类型传的是数值,而引用类型传的是对象的地址. 作者:Intopass链接:https://www.zhihu.com/question/31203609/ans ...

  7. 朴素贝叶斯算法--python实现

    朴素贝叶斯算法要理解一下基础:    [朴素:特征条件独立   贝叶斯:基于贝叶斯定理] 1朴素贝叶斯的概念[联合概率分布.先验概率.条件概率**.全概率公式][条件独立性假设.]   极大似然估计 ...

  8. JSP的几个页面指令

    页面指令:向服务器说明页面自身的特征,以便服务器. 1,<%@page contentType="text/xml;charset=utf-8" %> 客户端---&g ...

  9. Git的一些常用命令

    一:Git是什么? Git是目前世界上最先进的分布式版本控制系统. 简单的说就是托管代码的便于多人开发的管理系统. 二.Git的一些命令,我详细的说一下 我是基于github给大家说一下git的一些常 ...

  10. WatermarkMaker

    using System; using System.Collections.Generic; using System.Linq; using System.Web; using System.Dr ...