标签:context token orm -o cti spec scope and text
Authorization server
The following data elements are stored or accessible on the authorization server:
Resource server
The following data elements are stored or accessible on the resource server:
It is assumed that a resource server has no knowledge of refresh tokens, user passwords, or client secrets.
Client
The following data elements are stored or accessible on the client:
one or more refresh tokens (persistent) and access tokens
(transient) per end user or other security-context or delegation
context
bearer token
A ’bearer token’ is a token that can be used by any client who has received the token (e.g., [RFC6750]). Because mere possession is enough to use the token, it is important that communication between endpoints be secured to ensure that only authorized endpoints may capture the token. The bearer token is convenient for client applications, as it does not require them to do anything to use them (such as a proof of identity). Bearer tokens have similar characteristics to web single-sign-on (SSO)
cookies used in browsers.
proof token
A ’proof token’ is a token that can only be used by a specific client. Each use of the token requires the client to perform some action that proves that it is the authorized user of the token. Examples of this are MAC-type access tokens, which require the client to digitally sign the resource request with a secret corresponding to the particular token sent with the request.
OAuth 2.0 Threat Model and Security Considerations (rfc6819)
标签:context token orm -o cti spec scope and text
原文地址:http://www.cnblogs.com/xiangqian010/p/6125840.html