Authorization server

The following data elements are stored or accessible on the authorization server:

  • usernames and passwords
  • client ids and secrets
  • client-specific refresh tokens
  • client-specific access tokens
  • HTTPS certificate/key
  • per-authorization process: "redirect_uri", "client_id", authorization "code"

Resource server

The following data elements are stored or accessible on the resource server:

  • user data (out of scope)
  • HTTPS certificate/key
  • either authorization server credentials or authorization server shared secret/public key
  • access tokens (per request)

It is assumed that a resource server has no knowledge of refresh tokens, user passwords, or client secrets.

Client

The following data elements are stored or accessible on the client:

  • client id (and client secret or corresponding client credential)

  • one or more refresh tokens (persistent) and access tokens
    (transient) per end user or other security-context or delegation
    context

  • trusted certification authority (CA) certificates (HTTPS)
  • per-authorization process: "redirect_uri", authorization "code"

bearer token

A ’bearer token’ is a token that can be used by any client who has received the token (e.g., [RFC6750]). Because mere possession is enough to use the token, it is important that communication between endpoints be secured to ensure that only authorized endpoints may capture the token. The bearer token is convenient for client applications, as it does not require them to do anything to use them (such as a proof of identity). Bearer tokens have similar characteristics to web single-sign-on (SSO)
cookies used in browsers.

proof token

A ’proof token’ is a token that can only be used by a specific client. Each use of the token requires the client to perform some action that proves that it is the authorized user of the token. Examples of this are MAC-type access tokens, which require the client to digitally sign the resource request with a secret corresponding to the particular token sent with the request.

OAuth 2.0 Threat Model and Security Considerations (rfc6819)的更多相关文章

  1. The OAuth 2.0 Authorization Framework-摘自https://tools.ietf.org/html/rfc6749

                                                                                  Internet Engineering T ...

  2. OAuth 2.0 Authorization Framework RFC

    Internet Engineering Task Force (IETF) D. Hardt, Ed.Request for Comments: 6749 MicrosoftObsoletes: 5 ...

  3. The OAuth 2.0 Authorization Framework

      The OAuth 2.0 Authorization Framework Abstract The OAuth 2.0 authorization framework enables a thi ...

  4. OAuth 2.0 授权码请求

    关于OAuth 2.0,请参见下面这两篇文章(墙裂推荐): <OAuth 2.0> <Spring Security OAuth 2.0> 纸上得来终觉浅,绝知此事要躬行.理论 ...

  5. Spring Security OAuth 2.0

    续·前一篇<OAuth 2.0> OAuth 2.0 Provider 实现 在OAuth 2.0中,provider角色事实上是把授权服务和资源服务分开,有时候它们也可能在同一个应用中, ...

  6. Spring Security OAuth 2.0 发放令牌接口地址自定义

    OAuth 2.0 如何获取令牌 以密码模式为例,获取 Token curl --location --request POST 'http://oauth-server/oauth/token' \ ...

  7. OAuth 2.0 认证的原理与实践

    摘要: 使用 OAuth 2.0 认证的的好处是显然易见的.你只需要用同一个账号密码,就能在各个网站进行访问,而免去了在每个网站都进行注册的繁琐过程. 本文将介绍 OAuth 2.0 的原理,并基于 ...

  8. 使用 spring-security-oauth2 体验 OAuth 2.0 的四种授权模式

    目录 背景 相关代码 授权码模式 第一步 访问GET /oauth/authorize 第二步 访问POST /oauth/authorize 第三步 访问POST /oauth/token 简化模式 ...

  9. ASP.NET WebApi OWIN 实现 OAuth 2.0

    OAuth(开放授权)是一个开放标准,允许用户让第三方应用访问该用户在某一网站上存储的私密的资源(如照片,视频,联系人列表),而无需将用户名和密码提供给第三方应用. OAuth 允许用户提供一个令牌, ...

随机推荐

  1. NET映射导致的应用无法访问

    应用环境 IIS 数据库  oracle11G 服务器 windwos2003 企业版 周一早上刚到,听到业务部门的人反应,集团的扫码抢系统登陆不上了,没办法进行出入库操作,大批货物在仓库堆积,承运车 ...

  2. 记录Castle ActiveRecord访问Sqlite的配置

    1.ActiveRecord配置文件ARConfig.xml,并将配置文件的“生成操作”改成“嵌入的资源” <?xml version=; i < ; i++)             { ...

  3. Python-7 列表list

    #1 创建列表.向列表中添加元素 1) 列表名称.append(*) 2) 列表名称.extend([*,*,...]) 3) 列表名称.insert(位置,*) member = ['小甲鱼','小 ...

  4. 使用PerfView诊断.Net GC的问题

    PerfView 概述: PerfView是一个可以帮助你分析CPU和内存问题的工具软件.它非常轻量级也不会入侵诊断的程序,在诊断过程中对诊断的程序影响甚微. Visual Studio自带的性能分析 ...

  5. 哆啦A梦 canvas

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/ ...

  6. Android 自定义表格显示数据

    Android 自定义TextView控件,用来组成表格方便数据的展示. 首先看一下效果 样式不是很好看,需要用的可以自己优化一下. 实现方式很简单. 1.自定义控件 MyTableTextView ...

  7. linux yum 命令

    linux yum 命令 yum( Yellow dog Updater, Modified)是一个在Fedora和RedHat以及SUSE中的Shell前端软件包管理器. 基於RPM包管理,能够从指 ...

  8. leetcode 202

    202. Happy Number Write an algorithm to determine if a number is "happy". A happy number i ...

  9. NFS服务器原理

    NFS服务器   port:2049      NFS 为 Network FileSystem 的简称,它的目的就是想让不同的机器.不同的操作系统可以彼此分享个别的档案啦!目前在 Unix Like ...

  10. 如何将Console application的Program函数变成支持async的?

    如何将Console application的Program函数变成支持async的?   class Program { static void Main(string[] args) { Task ...