OAuth2学习笔记（1）——简介

简介
Introduction

在传统的客户端-服务器认证模型中，客户端要请求一个保存在服务器上的访问受限资源（受保护资源），需要使用资源所有者（resource owner）的凭证向服务器认证。为了让第三方应用（third-party applications）访问这些受限资源，资源所有者与第三方共享凭证，这带来了很多问题和限制：

In the traditional client-server authentication model, the client requests an access-restricted resource (protected resource) on the server by authenticating with the server using the resource owner’s credentials. In order to provide third-party applications access to restricted resources, the resource owner shares its credentials with the third party. This creates several problems and limitations:

• 第三方应用需要保存资源所有者的凭证以便今后使用，通常是明文的密码。
  o Third-party applications are required to store the resource owner’s credentials for future use, typically a password in clear-text.

• 服务器需要支持密码认证， 尽管密码本身存在安全弱点。
  o Servers are required to support password authentication, despite the security weaknesses inherent in passwords.

• 对资源所有者的受保护资源，第三方应用获得了过多的访问权限，导致资源所有者没有任何能力限制访问期限以及对受限的资源子集的访问。
  o Third-party applications gain overly broad access to the resource owner’s protected resources, leaving resource owners without any ability to restrict duration or access to a limited subset of resources.

• 资源所有者无法撤销单独撤销某一个第三方应用的访问权限同时保留其他的第三方应用，必须要修改第三方的密码才行。
  o Resource owners cannot revoke access to an individual third party without revoking access to all third parties, and must do so by changing the third party’s password.

• 任何第三方应用的泄漏导致用户密码以及所有该密码保护的数据泄漏。
  o Compromise of any third-party application results in compromise of
  the end-user’s password and all of the data protected by that
  password.

为了应对这些问题，OAuth引入了认证层，区分客户端（client）和资源所有者角色。在OAuth中，客户端使用一组不同的凭证请求访问由资源所有者控制的、保存在资源服务器上的资源，而不是资源所有者的凭证。

OAuth addresses these issues by introducing an authorization layer and separating the role of the client from that of the resource owner. In OAuth, the client requests access to resources controlled by the resource owner and hosted by the resource server, and is issued a different set of credentials than those of the resource owner.

客户端，获取访问令牌（access token）——一个表示特定范围、生命周期以及其他访问属性的字符串，代替资源所有者的凭证访问受保护的资源。访问令牌是通过资源拥有者认可的一个认证服务器（authorization server）发放给第三方客户端的。客户端使用访问令牌获取资源服务器（resource server）上的受保护资源。

Instead of using the resource owner’s credentials to access protected resources, the client obtains an access token – a string denoting a specific scope, lifetime, and other access attributes. Access tokens are issued to third-party clients by an authorization server with the approval of the resource owner. The client uses the access token to access the protected resources hosted by the resource server.

例如，一个用户（reource owner）可以授权一个打印服务（client）访问她保存在图片共享服务（resource server）上的受保护的照片，无需提供她的用户名和密码给打印服务。取而代之，她直接登录一个图片共享服务信任的服务器（authorization server），有认证服务器来给打印服务发放专用代理授权（access token）。

For example, an end-user (resource owner) can grant a printing service (client) access to her protected photos stored at a photo-sharing service (resource server), without sharing her username and password with the printing service. Instead, she authenticates directly with a server trusted by the photo-sharing service (authorization server), which issues the printing service delegation-specific credentials (access token).

这个规范使用HTTP，在其他协议上使用OAuth不在本规范的范围之内。

This specification is designed for use with HTTP ([RFC2616]). The use of OAuth over any protocol other than HTTP is out of scope.