Limitation of the client-server model
- The protected resource requires credentials to be accessed
- Once credential acquired, the client becomes a resource-owner.
- Afterwards, clients gain overly broad access to the protected resources, without any ability to restrict duration or access to a limited subset of resources.
- If the resource credentials changed, all clients access will be revoked.
Need to: separate client role from resource owner one.
OAuth model:
- Client: request access to a protected resource, it is not the resource owner, but is acting on its behalf
- Resource owner: An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user.
- Authorization server: issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
- Resource container/server: hosts resources. This is where the client uses the access token to get the protected resources.
No comments:
Post a Comment