Authorization server

The following data elements are stored or accessible on the authorization server:

  • usernames and passwords
  • client ids and secrets
  • client-specific refresh tokens
  • client-specific access tokens
  • HTTPS certificate/key
  • per-authorization process: "redirect_uri", "client_id", authorization "code"

Resource server

The following data elements are stored or accessible on the resource server:

  • user data (out of scope)
  • HTTPS certificate/key
  • either authorization server credentials or authorization server shared secret/public key
  • access tokens (per request)

It is assumed that a resource server has no knowledge of refresh tokens, user passwords, or client secrets.

Client

The following data elements are stored or accessible on the client:

  • client id (and client secret or corresponding client credential)

  • one or more refresh tokens (persistent) and access tokens
    (transient) per end user or other security-context or delegation
    context

  • trusted certification authority (CA) certificates (HTTPS)
  • per-authorization process: "redirect_uri", authorization "code"

bearer token

A ’bearer token’ is a token that can be used by any client who has received the token (e.g., [RFC6750]). Because mere possession is enough to use the token, it is important that communication between endpoints be secured to ensure that only authorized endpoints may capture the token. The bearer token is convenient for client applications, as it does not require them to do anything to use them (such as a proof of identity). Bearer tokens have similar characteristics to web single-sign-on (SSO)
cookies used in browsers.

proof token

A ’proof token’ is a token that can only be used by a specific client. Each use of the token requires the client to perform some action that proves that it is the authorized user of the token. Examples of this are MAC-type access tokens, which require the client to digitally sign the resource request with a secret corresponding to the particular token sent with the request.

OAuth 2.0 Threat Model and Security Considerations (rfc6819)的更多相关文章

  1. The OAuth 2.0 Authorization Framework-摘自https://tools.ietf.org/html/rfc6749

                                                                                  Internet Engineering T ...

  2. OAuth 2.0 Authorization Framework RFC

    Internet Engineering Task Force (IETF) D. Hardt, Ed.Request for Comments: 6749 MicrosoftObsoletes: 5 ...

  3. The OAuth 2.0 Authorization Framework

      The OAuth 2.0 Authorization Framework Abstract The OAuth 2.0 authorization framework enables a thi ...

  4. OAuth 2.0 授权码请求

    关于OAuth 2.0,请参见下面这两篇文章(墙裂推荐): <OAuth 2.0> <Spring Security OAuth 2.0> 纸上得来终觉浅,绝知此事要躬行.理论 ...

  5. Spring Security OAuth 2.0

    续·前一篇<OAuth 2.0> OAuth 2.0 Provider 实现 在OAuth 2.0中,provider角色事实上是把授权服务和资源服务分开,有时候它们也可能在同一个应用中, ...

  6. Spring Security OAuth 2.0 发放令牌接口地址自定义

    OAuth 2.0 如何获取令牌 以密码模式为例,获取 Token curl --location --request POST 'http://oauth-server/oauth/token' \ ...

  7. OAuth 2.0 认证的原理与实践

    摘要: 使用 OAuth 2.0 认证的的好处是显然易见的.你只需要用同一个账号密码,就能在各个网站进行访问,而免去了在每个网站都进行注册的繁琐过程. 本文将介绍 OAuth 2.0 的原理,并基于 ...

  8. 使用 spring-security-oauth2 体验 OAuth 2.0 的四种授权模式

    目录 背景 相关代码 授权码模式 第一步 访问GET /oauth/authorize 第二步 访问POST /oauth/authorize 第三步 访问POST /oauth/token 简化模式 ...

  9. ASP.NET WebApi OWIN 实现 OAuth 2.0

    OAuth(开放授权)是一个开放标准,允许用户让第三方应用访问该用户在某一网站上存储的私密的资源(如照片,视频,联系人列表),而无需将用户名和密码提供给第三方应用. OAuth 允许用户提供一个令牌, ...

随机推荐

  1. maven多项目配置实践

    工具:IntelliJ IDEA 1.新建maven项目top 略 提示:不使用任何模版 2.在上面的maven项目的目录下(虽然这不一定是必须的),新建另一个maven项目secend. 同上 3. ...

  2. mac-文本编辑器

    windows时代最喜欢的文本编辑器一直是ultraedit,但到了mac下,破解的ultraedit退出时会异常,于是琢磨着换编辑器,最终选择了sublime text2,百度下载,不注册也可以用. ...

  3. 查询sql2005&2008全部表信息

    如果是查询sql server ,把sys.extended_properties修改为SysProperties SELECT 表名 THEN D.NAME ELSE '' END, 表说明 THE ...

  4. SignalR 2.0 初次使用说明

    如何使用SignalR 2.0 一:首先通过Nuget安装SignalR 2.0 [本人使用的时候最新版本为2.0]2.0与之前1.X有部分命名空间和配置不同请注意 二:建一个专门的类库用来负责Sig ...

  5. python 中变量的命名方法

    从网上找到django中python的命名规范 Python  规范 代码的布局  编码 所有的Python脚本文件都应在文件头标上“# -*- coding:utf-8 -*-”.  缩进 4个空格 ...

  6. MVVM模式下弹出窗体

    原地址:http://www.cnblogs.com/yk250/p/5773425.html 在mvvm模式下弹出窗体,有使用接口模式传入参数new一个对象的,还有的是继承于一个window,然后在 ...

  7. instanceof关键字

    instanceof是Java.php的一个二元操作符(运算符),和==.>.<是同一类东西.由于它是由字母组成的,所以也是Java的保留关键字.它的作用是判断其左边对象是否为其右边类的实 ...

  8. java 将字符串下载为文本文件

    通过url访问方法即可进行下载 @RequestMapping("down") public String down(HttpServletRequest request,Http ...

  9. 在CentOS或RHEL防火墙上开启端口

    转载自:https://linux.cn/article-4243-1.html 如果希望在服务器上提供服务,诸如CentOS或RHEL的企业级Linux发行版包含内置的强大防火墙,它们默认的防火墙规 ...

  10. 批量插入数据(基于Mybatis的实现-Oracle)

    前言:做一个数据同步项目,要求:同步数据不丢失的情况下,提高插入性能. 项目DB框架:Mybatis.DataBase:Oracle. -------------------------------- ...