OAuth:Access to shared resources via web applications

A web application which wants to gain access to shared resources should redirect the user to a page of the authorization server. When doing so, it informs the authorization server about the access rights it is requesting. This information, which is called Scope, is actually a list of identifiers separated by space characters which are often available as URLs in order to avoid naming conflicts and are given by the resource server.

Consequently, the authorization server asks the user, in his role as resource owner, for authentication (e.g. by providing the username and password). Subsequently, the user can either grant or reject the client’s request. The authorization server then redirects the user to the client and passes the user‘s decision to the client using a URL parameter. If the user has granted the request, the query string contains a code which the client can exchange for a security token. When doing so, the client provides authentication details to the authorization server. Mostly this is also done by giving the username and password.

The token received this way may then be used by the client to gain access to the desired resources via the resource server. Once it has received the token, the resource server must verify its validity and check if it was indeed provided by the named authorization server. Validity can be checked using the expiry date contained within the token and the latter may be done by verifying other evidence which is also embedded in the token. Such evidence may, for example, be a digital signature or an HMAC. If such cryptographic proceedings are to be avoided, there is also the possibility of the resource server contacting the authorization server to confirm the validity of the token.

The token may contain information about the user which might be used by the resource server to verify rights. Alternatively, the token may simply be a key which the resource server may exchange for user-related data when contacting the authorization server.

时间: 2024-10-12 07:45:28

OAuth:Access to shared resources via web applications的相关文章

ASP.NET Web API与Owin OAuth:调用与用户相关的Web API

参考页面: http://www.yuanjiaocheng.net/webapi/web-api-route.html http://www.yuanjiaocheng.net/webapi/parameter-binding.html http://www.yuanjiaocheng.net/webapi/action-method-returntype.html http://www.yuanjiaocheng.net/webapi/web-api-reqresq-format.html

ASP.NET OAuth:access token的加密解密,client secret与refresh token的生成

在ASP.NET OWIN OAuth(Microsoft.Owin.Security.OAuth)中,access token 的默认加密方法是: 1) System.Security.Cryptography.DpapiDataProtector.Protect() 2) Convert.ToBase64String() 3) .TrimEnd('=').Replace('+', '-').Replace('/', '_'); access token 的默认解密方法是: 1) System

ASP.NET Web API与Owin OAuth:使用Access Toke调用受保护的API

在前一篇博文中,我们使用OAuth的Client Credential Grant授权方式,在服务端通过CNBlogsAuthorizationServerProvider(Authorization Server的一个实现)成功发放了Access Token,并在客户端成功拿到了Access Token. 那Access Token有什么用呢?在OAuth中对Resource Server(比如Web API)访问权限的验证都是基于Access Token.不管是什么样的客户端来调用,Reso

Tomcat(一):Tomcat启动时加载web.xml

server.xml配置文件样例: <?xml version="1.0" encoding="UTF-8"?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional inf

ASP.NET OWIN OAuth:遇到的2个refresh token问题

之前写过2篇关于refresh token的生成与持久化的博文:1)Web API与OAuth:既生access token,何生refresh token:2)ASP.NET OWIN OAuth:refresh token的持久化. 之后我们在CNBlogsRefreshTokenProvider中这样实现了refresh token的生成与持久化: public class CNBlogsRefreshTokenProvider : AuthenticationTokenProvider

MYSQL问题解决方案:Access denied for user &#39;root&#39;@&#39;localhost&#39; (using password:YES)

这两天在MyEclipse中开发Web项目时,连接MySQL数据库,出现问题:Access denied for user 'root'@'localhost' (using password:YES). 经查找资料发现是root帐户默认不开放远程访问权限,所以需要修改一下相关权限. 解决方案: 打开MySQL目录下的my.ini文件,在文件的最后添加一行"skip-grant-tables",保存并关闭文件.(WIN7默认安装,my.ini在C:\ProgramData\MySQL\

mysql-5.7.9-winx64 MySQL服务无法启动,服务没有报告任何错误的解决办法 转自【IT精英团】:http://www.itnpc.com/news/web/144832818227054.html

最新解压版本的mysql 解压安装的时候报错D:\mysql-5.7.9-winx64\bin>net start mysqlMySQL 服务正在启动 .MySQL 服务无法启动.服务没有报告任何错误.  mysql下面是没有data文件夹的,此文件夹不需要自己建. D:\mysql-5.7.9-winx64\bin>mysqld --console2015-11-23T14:46:03.711082Z 0 [Warning] TIMESTAMP with implicit DEFAULT v

idea启动报错:Access denied for user &#39;root &#39;@&#39;192.168.100.206&#39; (using password: YES)

Caused by: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'sysUserMapper' defined in file [D:\workspace\b2b_refactor\b2b_refactor\target\classes\com\zj\web\system\mapper\SysUserMapper.class]: Unsatisfi

mac下,mysql5.7.18连接出错,错误信息为:Access denied for user &#39;root&#39;@&#39;localhost&#39; (using password: YES)

mac下,mysql5.7.18连接出错,错误信息为:Access denied for user 'root'@'localhost' (using password: YES)()里面的为shell中输入的命令,一定要输全包括:&等符号 第一步:苹果->系统偏好设置->最下面点MySQL,关闭mysql服务 第二步:进入终端输入(cd /usr/local/mysql/bin/)回车输入(sudo su)回车以获取管理员权限输入(./mysqld_safe --skip-grant