The OAuth 2.0 Authorization Framework: Bearer Token Usage
https://tools.ietf.org/html/rfc6750
1.2. Terminology
Bearer Token
A security token with the property that any party in possession of
the token (a "bearer") can use the token in any way that any other
party in possession of it can. Using a bearer token does not
require a bearer to prove possession of cryptographic key material
(proof-of-possession). All other terms are as defined in "The OAuth 2.0 Authorization
Framework" [RFC6749].
1.3. Overview
OAuth provides a method for clients to access a protected resource on
behalf of a resource owner. In the general case, before a client can
access a protected resource, it must first obtain an authorization
grant from the resource owner and then exchange the authorization
grant for an access token. The access token represents the grant's
scope, duration, and other attributes granted by the authorization
grant. The client accesses the protected resource by presenting the
access token to the resource server. In some cases, a client can
directly present its own credentials to an authorization server to
obtain an access token without having to first obtain an
authorization grant from a resource owner.
The access token provides an abstraction, replacing different
authorization constructs (e.g., username and password, assertion) for
a single token understood by the resource server. This abstraction
enables issuing access tokens valid for a short time period, as well
as removing the resource server's need to understand a wide range of
authentication schemes.
+--------+ +---------------+
| |--(A)- Authorization Request ->| Resource |
| | | Owner |
| |<-(B)-- Authorization Grant ---| |
| | +---------------+
| |
| | +---------------+
| |--(C)-- Authorization Grant -->| Authorization |
| Client | | Server |
| |<-(D)----- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |--(E)----- Access Token ------>| Resource |
| | | Server |
| |<-(F)--- Protected Resource ---| |
+--------+ +---------------+ Figure 1: Abstract Protocol Flow The abstract OAuth 2.0 flow illustrated in Figure 1 describes the
interaction between the client, resource owner, authorization server,
and resource server (described in [RFC6749]). The following two
steps are specified within this document: (E) The client requests the protected resource from the resource
server and authenticates by presenting the access token. (F) The resource server validates the access token, and if valid,
serves the request. This document also imposes semantic requirements upon the access
token returned in step (D).
The OAuth 2.0 Authorization Framework: Bearer Token Usage的更多相关文章
- OAuth 2.0 Authorization Framework RFC
Internet Engineering Task Force (IETF) D. Hardt, Ed.Request for Comments: 6749 MicrosoftObsoletes: 5 ...
- The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization Framework Abstract The OAuth 2.0 authorization framework enables a thi ...
- The OAuth 2.0 Authorization Framework OAuth2.0的核心角色code 扫码登录
RFC 6749 - The OAuth 2.0 Authorization Framework https://tools.ietf.org/html/rfc6749 The OAuth 2.0 a ...
- The OAuth 2.0 Authorization Framework-摘自https://tools.ietf.org/html/rfc6749
Internet Engineering T ...
- OAuth 2.0: Bearer Token Usage
Bearer Token (RFC 6750) 用于HTTP请求授权访问OAuth 2.0资源,任何Bearer持有者都可以无差别地用它来访问相关的资源,而无需证明持有加密key.一个Bearer代表 ...
- ASP.NET WebApi OWIN 实现 OAuth 2.0(自定义获取 Token)
相关文章:ASP.NET WebApi OWIN 实现 OAuth 2.0 之前的项目实现,Token 放在请求头的 Headers 里面,类似于这样: Accept: application/jso ...
- [转]OAuth 2.0 - Authorization Code授权方式详解
本文转自:http://www.cnblogs.com/highend/archive/2012/07/06/oautn2_authorization_code.html I:OAuth 2.0 开发 ...
- OAuth 2.0 - Authorization Code授权方式详解
I:OAuth 2.0 开发前期准备 天上不会自然掉馅饼让你轻松地去访问到人家资源服务器里面的用户数据资源,所以你需要做的前期开发准备工作就是把AppKey, AppSecret取到手 新浪获取传送门 ...
- OWIN OAuth 2.0 Authorization Server
http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server The assumption ...
随机推荐
- FW: linux screen -recorder by ffcast convert
fcast -s ffmpeg -r 20 -vcodec huffyuv out.avi 上面的命令会让你选择一个要录制的区域,然后呢,就会你就可以操作了,操作完后退回去按 q 键退出结束.如果你想 ...
- php判断密码强度函数
其实就是一些策略正则,写好了就留下来以后用. print_r(getPasswordStrength('s1212adsddfASD;\'g;\'gh.h,h..;')); function getP ...
- react es6语法 之 “ ... ” (扩展运算符)
扩展运算符(…)用于取出参数对象中的所有可遍历属性,拷贝到当前对象之中 let bar = { a: 1, b: 2 }; let baz = { ...bar }; // { a: 1, b: 2 ...
- docker部署Jenkins,以及在Jenkins中使用宿主机的docker/docker-compose命令
使用最新的官方镜像jenkins/jenkins 第一次使用的docker部署jenkins的时候,出现了两个问题: 1.因为用户权限问题挂载/home/jenkins/data到/var/jenki ...
- C语言中的extern
extern: 这个关键字真的比较恶心,在定义变量的时候,extern居然可以被省略(定义时,默认均省略): 在声明变量的时候,extern必须加在变量前. 所以有时候你搞不清楚是声明还是定义.:变量 ...
- UVA10026:Shoemaker's Problem(贪心)
题目链接: http://acm.hust.edu.cn/vjudge/contest/view.action?cid=68990#problem/K 题目需求:鞋匠有n个任务,第i个任务要花费ti ...
- Java 利用监听器来实现记录用户访问网站次数
假如有这么一个需求,要记录所有用户访问某一页面的次数. 最先想到的可能是在该Controller定义一个静态成员,然后在相应Action里自增.但这样有一个问题,就是Tomcat或者其他服务器重启的话 ...
- xlrd xlwt操作
简介 xlrd,xlwt和xlutils是用Python处理Excel文档(*.xls)的高效率工具.其中,xlrd只能读取xls,xlwt只能新建xls(不可以修改),xlutils能将xlrd.B ...
- PKU 1094 Sorting It All Out(拓扑排序)
题目大意:就是给定一组字母的大小关系判断他们是否能组成唯一的拓扑序列. 是典型的拓扑排序,但输出格式上确有三种形式: 1.该字母序列有序,并依次输出: 2.判断该序列是否唯一: 3.该序列字母次序之间 ...
- 字符串的最小最大表示法O(n)
以下介绍内容内容转自:http://blog.csdn.net/zy691357966/article/details/39854359 网上看了这篇文章后还是感觉有些地方讲的没有详细的证明所以添加了 ...