TOC
TOC
Additionally, the rule URI-Reference is included from Uniform Resource Identifier (URI)
.
Certain security-related terms are to be understood in the sense defined in .
These terms include, but are not limited to, "attack", "authentication", "authorization",
"certificate", "confidentiality", "credential", "encryption", "identity", "sign", "signature", "trust",
"validate", and "verify".
Unless otherwise noted, all the protocol parameter names and values are case sensitive.
2. Client Registration
Before initiating the protocol, the client registers with the authorization server. The means
through which the client registers with the authorization server are beyond the scope of this
specification, but typically involve end-user interaction with an HTML registration form.
Client registration does not require a direct interaction between the client and the
authorization server. When supported by the authorization server, registration can rely on
other means for establishing trust and obtaining the required client properties (e.g.
redirection URI, client type). For example, registration can be accomplished using a self-
issued or third-party-issued assertion, or by the authorization server performing client
discovery using a trusted channel.
When registering a client, the client developer SHALL:
specify the client type as described in ,
provide its client redirection URIs as described in , and
include any other information required by the authorization server (e.g.
application name, website, description, logo image, the acceptance of legal
terms).
2.1. Client Types
OAuth defines two client types, based on their ability to authenticate securely with the
authorization server (i.e. ability to maintain the confidentiality of their client credentials):
confidential
Clients capable of maintaining the confidentiality of their credentials (e.g. client
implemented on a secure server with restricted access to the client credentials),
or capable of secure client authentication using other means.
public
Clients incapable of maintaining the confidentiality of their credentials (e.g. clients
executing on the device used by the resource owner such as an installed native
application or a web browser-based application), and incapable of secure client
authentication via any other means.
The client type designation is based on the authorization server's definition of secure
authentication and its acceptable exposure levels of client credentials. The authorization
server SHOULD NOT make assumptions about the client type.
A client may be implemented as a distributed set of components, each with a different client
type and security context (e.g. a distributed client with both a confidential server-based
component and a public browser-based component). If the authorization server does not
provide support for such clients, or does not provide guidance with regard to their
registration, the client SHOULD register each component as a separate client.
This specification has been designed around the following client profiles:
web application
A web application is a confidential client running on a web server. Resource owners
access the client via an HTML user interface rendered in a user-agent on the
device used by the resource owner. The client credentials as well as any access
token issued to the client are stored on the web server and are not exposed to or
accessible by the resource owner.
user-agent-based application
[RFC3986]
[RFC4949]
Section 2.1
Section 3.1.2
剩余48页未读,继续阅读
AltOFCtrl_周佳峰
- 粉丝: 0
- 资源: 5
我的内容管理
展开
最新资源
- zlib-1.2.12压缩包解析与技术要点
- 微信小程序滑动选项卡源码模版发布
- Unity虚拟人物唇同步插件Oculus Lipsync介绍
- Nginx 1.18.0版本WinSW自动安装与管理指南
- Java Swing和JDBC实现的ATM系统源码解析
- 掌握Spark Streaming与Maven集成的分布式大数据处理
- 深入学习推荐系统:教程、案例与项目实践
- Web开发者必备的取色工具软件介绍
- C语言实现李春葆数据结构实验程序
- 超市管理系统开发:asp+SQL Server 2005实战
- Redis伪集群搭建教程与实践
- 掌握网络活动细节:Wireshark v3.6.3网络嗅探工具详解
- 全面掌握美赛:建模、分析与编程实现教程
- Java图书馆系统完整项目源码及SQL文件解析
- PCtoLCD2002软件:高效图片和字符取模转换
- Java开发的体育赛事在线购票系统源码分析
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
