https://tools.ietf.org/html/rfc6750

1.2. Terminology


   Bearer Token

      A security token with the property that any party in possession of

      the token (a "bearer") can use the token in any way that any other

      party in possession of it can.  Using a bearer token does not

      require a bearer to prove possession of cryptographic key material

      (proof-of-possession).

   All other terms are as defined in "The OAuth 2.0 Authorization

   Framework" [RFC6749].

1.3. Overview


   OAuth provides a method for clients to access a protected resource on

   behalf of a resource owner.  In the general case, before a client can

   access a protected resource, it must first obtain an authorization

   grant from the resource owner and then exchange the authorization

   grant for an access token.  The access token represents the grant's

   scope, duration, and other attributes granted by the authorization

   grant.  The client accesses the protected resource by presenting the

   access token to the resource server.  In some cases, a client can

   directly present its own credentials to an authorization server to

   obtain an access token without having to first obtain an

   authorization grant from a resource owner.

   The access token provides an abstraction, replacing different

   authorization constructs (e.g., username and password, assertion) for

   a single token understood by the resource server.  This abstraction

   enables issuing access tokens valid for a short time period, as well

   as removing the resource server's need to understand a wide range of

   authentication schemes.
     +--------+                               +---------------+

     |        |--(A)- Authorization Request ->|   Resource    |

     |        |                               |     Owner     |

     |        |<-(B)-- Authorization Grant ---|               |

     |        |                               +---------------+

     |        |

     |        |                               +---------------+

     |        |--(C)-- Authorization Grant -->| Authorization |

     | Client |                               |     Server    |

     |        |<-(D)----- Access Token -------|               |

     |        |                               +---------------+

     |        |

     |        |                               +---------------+

     |        |--(E)----- Access Token ------>|    Resource   |

     |        |                               |     Server    |

     |        |<-(F)--- Protected Resource ---|               |

     +--------+                               +---------------+

                     Figure 1: Abstract Protocol Flow

   The abstract OAuth 2.0 flow illustrated in Figure 1 describes the

   interaction between the client, resource owner, authorization server,

   and resource server (described in [RFC6749]).  The following two

   steps are specified within this document:

   (E)  The client requests the protected resource from the resource

        server and authenticates by presenting the access token.

   (F)  The resource server validates the access token, and if valid,

        serves the request.

   This document also imposes semantic requirements upon the access

   token returned in step (D).

The OAuth 2.0 Authorization Framework: Bearer Token Usage的更多相关文章

  1. OAuth 2.0 Authorization Framework RFC

    Internet Engineering Task Force (IETF) D. Hardt, Ed.Request for Comments: 6749 MicrosoftObsoletes: 5 ...

  2. The OAuth 2.0 Authorization Framework

      The OAuth 2.0 Authorization Framework Abstract The OAuth 2.0 authorization framework enables a thi ...

  3. The OAuth 2.0 Authorization Framework OAuth2.0的核心角色code 扫码登录

    RFC 6749 - The OAuth 2.0 Authorization Framework https://tools.ietf.org/html/rfc6749 The OAuth 2.0 a ...

  4. The OAuth 2.0 Authorization Framework-摘自https://tools.ietf.org/html/rfc6749

                                                                                  Internet Engineering T ...

  5. OAuth 2.0: Bearer Token Usage

    Bearer Token (RFC 6750) 用于HTTP请求授权访问OAuth 2.0资源,任何Bearer持有者都可以无差别地用它来访问相关的资源,而无需证明持有加密key.一个Bearer代表 ...

  6. ASP.NET WebApi OWIN 实现 OAuth 2.0(自定义获取 Token)

    相关文章:ASP.NET WebApi OWIN 实现 OAuth 2.0 之前的项目实现,Token 放在请求头的 Headers 里面,类似于这样: Accept: application/jso ...

  7. [转]OAuth 2.0 - Authorization Code授权方式详解

    本文转自:http://www.cnblogs.com/highend/archive/2012/07/06/oautn2_authorization_code.html I:OAuth 2.0 开发 ...

  8. OAuth 2.0 - Authorization Code授权方式详解

    I:OAuth 2.0 开发前期准备 天上不会自然掉馅饼让你轻松地去访问到人家资源服务器里面的用户数据资源,所以你需要做的前期开发准备工作就是把AppKey, AppSecret取到手 新浪获取传送门 ...

  9. OWIN OAuth 2.0 Authorization Server

    http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server The assumption ...

随机推荐

  1. 解决Cell重绘导致 重复的问题

    IOS在Cell上的优化令人觉得底层框架的成熟,可是有些情形却会造成不必要的麻烦, 当使用了 UITableViewCell *cell = [tableView dequeueReusableCel ...

  2. wiki配置文件

    jira数据库配置文件(链接:https://blog.csdn.net/jiangguilong2000/article/details/39718407) /var/atlassian/appli ...

  3. angular(一)

    angularjs第一章•angluarjs介绍·什么是angularjs•AngularJS 是一个为动态WEB应用设计的结构框架,提供给大家一种新的开发应用方式,这种方式可以让你扩展HTML的语法 ...

  4. Spark 源码分析 -- BlockStore

    BlockStore 抽象接口类, 关键get和put都有两个版本序列化, putBytes, getBytes非序列化, putValues, getValues 其中putValues的返回值为P ...

  5. python 中几个层次的中文编码.md

    转自:[http://swj.me/] 介绍 一直不太喜欢使用命令行,所以去年年底的技术创新中,使用TkInter来开发小工具.结果花费了大量的时间来学习TkInter ui的使用. 最近想整理该工具 ...

  6. Linux NAPI处理流程分析

    2017-05-10 今天重点对linux网络数据包的处理做下分析,但是并不关系到上层协议,仅仅到链路层. 之前转载过一篇文章,对NAPI做了比较详尽的分析,本文结合Linux内核源代码,对当前网络数 ...

  7. HttpRunnerManager平台异步生成及展示代码覆盖率报告

    ant+jacoco+jenkins+HttpRunnerManager代码覆盖率统计平台搭建 实现思路通过jenkins构建,并使用HttpRunnerManager异步实现报告更新与展示. 现在整 ...

  8. Spark2.0机器学习系列之10: 聚类(高斯混合模型 GMM)

    在Spark2.0版本中(不是基于RDD API的MLlib),共有四种聚类方法:      (1)K-means      (2)Latent Dirichlet allocation (LDA)  ...

  9. SDUT1574:组合数的计算

    题目描述 给定n组整数(a,b),计算组合数C(a,b)的值.如C(3,1)=3,C(4,2)=6. 输入 第一行为一个整数n,表示有多少组测试数据.(n <= 100000) 第2-n+1行, ...

  10. shiro 密码如何验证?

    Authentication:身份认证/登录,验证用户是不是拥有相应的身份. Authorization:授权,即权限验证,验证某个已认证的用户是否拥有某个权限:即判断用户是否能做事情. 这里我们主要 ...