https://tools.ietf.org/html/rfc6750

1.2. Terminology


   Bearer Token

      A security token with the property that any party in possession of

      the token (a "bearer") can use the token in any way that any other

      party in possession of it can.  Using a bearer token does not

      require a bearer to prove possession of cryptographic key material

      (proof-of-possession).

   All other terms are as defined in "The OAuth 2.0 Authorization

   Framework" [RFC6749].

1.3. Overview


   OAuth provides a method for clients to access a protected resource on

   behalf of a resource owner.  In the general case, before a client can

   access a protected resource, it must first obtain an authorization

   grant from the resource owner and then exchange the authorization

   grant for an access token.  The access token represents the grant's

   scope, duration, and other attributes granted by the authorization

   grant.  The client accesses the protected resource by presenting the

   access token to the resource server.  In some cases, a client can

   directly present its own credentials to an authorization server to

   obtain an access token without having to first obtain an

   authorization grant from a resource owner.

   The access token provides an abstraction, replacing different

   authorization constructs (e.g., username and password, assertion) for

   a single token understood by the resource server.  This abstraction

   enables issuing access tokens valid for a short time period, as well

   as removing the resource server's need to understand a wide range of

   authentication schemes.
     +--------+                               +---------------+

     |        |--(A)- Authorization Request ->|   Resource    |

     |        |                               |     Owner     |

     |        |<-(B)-- Authorization Grant ---|               |

     |        |                               +---------------+

     |        |

     |        |                               +---------------+

     |        |--(C)-- Authorization Grant -->| Authorization |

     | Client |                               |     Server    |

     |        |<-(D)----- Access Token -------|               |

     |        |                               +---------------+

     |        |

     |        |                               +---------------+

     |        |--(E)----- Access Token ------>|    Resource   |

     |        |                               |     Server    |

     |        |<-(F)--- Protected Resource ---|               |

     +--------+                               +---------------+

                     Figure 1: Abstract Protocol Flow

   The abstract OAuth 2.0 flow illustrated in Figure 1 describes the

   interaction between the client, resource owner, authorization server,

   and resource server (described in [RFC6749]).  The following two

   steps are specified within this document:

   (E)  The client requests the protected resource from the resource

        server and authenticates by presenting the access token.

   (F)  The resource server validates the access token, and if valid,

        serves the request.

   This document also imposes semantic requirements upon the access

   token returned in step (D).

The OAuth 2.0 Authorization Framework: Bearer Token Usage的更多相关文章

  1. OAuth 2.0 Authorization Framework RFC

    Internet Engineering Task Force (IETF) D. Hardt, Ed.Request for Comments: 6749 MicrosoftObsoletes: 5 ...

  2. The OAuth 2.0 Authorization Framework

      The OAuth 2.0 Authorization Framework Abstract The OAuth 2.0 authorization framework enables a thi ...

  3. The OAuth 2.0 Authorization Framework OAuth2.0的核心角色code 扫码登录

    RFC 6749 - The OAuth 2.0 Authorization Framework https://tools.ietf.org/html/rfc6749 The OAuth 2.0 a ...

  4. The OAuth 2.0 Authorization Framework-摘自https://tools.ietf.org/html/rfc6749

                                                                                  Internet Engineering T ...

  5. OAuth 2.0: Bearer Token Usage

    Bearer Token (RFC 6750) 用于HTTP请求授权访问OAuth 2.0资源,任何Bearer持有者都可以无差别地用它来访问相关的资源,而无需证明持有加密key.一个Bearer代表 ...

  6. ASP.NET WebApi OWIN 实现 OAuth 2.0(自定义获取 Token)

    相关文章:ASP.NET WebApi OWIN 实现 OAuth 2.0 之前的项目实现,Token 放在请求头的 Headers 里面,类似于这样: Accept: application/jso ...

  7. [转]OAuth 2.0 - Authorization Code授权方式详解

    本文转自:http://www.cnblogs.com/highend/archive/2012/07/06/oautn2_authorization_code.html I:OAuth 2.0 开发 ...

  8. OAuth 2.0 - Authorization Code授权方式详解

    I:OAuth 2.0 开发前期准备 天上不会自然掉馅饼让你轻松地去访问到人家资源服务器里面的用户数据资源,所以你需要做的前期开发准备工作就是把AppKey, AppSecret取到手 新浪获取传送门 ...

  9. OWIN OAuth 2.0 Authorization Server

    http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server The assumption ...

随机推荐

  1. FW:主流RPC框架

    主流RPC框架  2015年10月27日  zman  RPC 介绍目前在互联网公司比较流行的开源的RPC框架. RPC框架比较   语言 协议 ​服务治理 ​社区 机构 Hessian 多语言 he ...

  2. linux系统分析命令总结

    一张图片

  3. Yii2的主从数据库设置

    项目做大了,数据库主从还是不可少的.使用Yii框架开发,如何设置数据库的主从呢?其实很简单. 先说一个主数据库服务器和多个从数据库服务器的情况,修改配置文件 config/db.php ,其中 sla ...

  4. lvs、haproxy、nginx 负载均衡的比较分析(转)

    原文:http://blog.csdn.net/gzh0222/article/details/8540604 对软件实现负载均衡的几个软件,小D详细看了一下,从性能和稳定上还是LVS最牛,基本达到了 ...

  5. git获取远程仓库代码

    首先在本地创建一个目录“ MyProject”,用来存放工程文件,git进入该文件夹,执行 git clone 远程项目MyCode地址 将代码克隆到本地然后进入“MyCode”文件夹下 cd MyC ...

  6. shell脚本循环处理文件数据

    有一个日志文件为: # cat data.log 需要提取出里面的数据,写shell脚本实现这个功能: #!/bin/bash OLD=$IFS IFS=$'\n' for entry in $(ca ...

  7. testng日志 ITestListener

    上一节我们写一个日志类 extends   TestListenerAdapter ----------TestListenerAdapter 是 ITestListener 实现的一个类 这一节,我 ...

  8. javascript 中的 parameter vs arguments

    像往常一样简单粗暴地看码: A parameter is the variable which is part of the method’s signature (method declaratio ...

  9. Python(面向对象5——高级)

    面向对象进阶 一 isinstance(obj,cls)和issubclass(sub,super) isinstance(obj,cls)检查是否obj是否是类 cls 的对象 1 class Fo ...

  10. 简单认识python的数据类型和语法

    一.Python介绍 1用途 1)WEB开发 最火的Python web框架Django, 支持异步高并发的Tornado框架,短小精悍的flask,bottle, Django官方的标语把Djang ...