StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POHow would one secure multiple resource servers using OAuth 2.0?
primarykey
Id
9409086
data
AcceptedAnswerId
9416654
AnswerCount
1
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2012-02-23T07:56:14.007
FavoriteCount
1
LastActivityDate
2012-02-23T16:03:32.970
LastEditDate
LastEditorUserId
0
OwnerUserId
715978
ParentId
0
PostTypeId
1
Score
1
ViewCount
1848
LastEditorDisplayName
text
Body
Consider the following distributed system that uses OAuth 2.0 for authorization and OpenID 2.0 for authentication. <img src="https://i.stack.imgur.com/o7yxa.png" alt="enter image description here"> Where <ol> <li>RS1, RS2 and RS3 are "Resource Servers" (aka three different REST APIs)</li> <li>APP1 and APP2 are clients</li> <li>AS is an "Authorization Server" for managing OAuth tokens</li> <li>OPENID is an OpenID 2.0 provider.</li> </ol> APP2 uses RS1, which in turn is uses resources on RS2 and RS3. There is a trust between RS1, RS2, RS3, APP2, AS and OPENID as they are developed by the same company (but different teams). When a user access APP2 for the first time, APP2 is automatically authorized to access resources on RS1, RS2 and RS3 on behalf of the user. APP1 uses resources in RS2, which in turn uses resources in RS3. APP1 is a third party website which is not trusted and a user needs to explicitly authorize APP1 to get access to resources on RS2 and RS3. Most examples regarding OAuth 2.0 shows the communication between a single resource and authorization server and how to request, issue and manage the tokens. How would one secure this environment using OAuth 2.0? For example, would APP2, RS1 and RS2 have their own client identifier and client secret (as they are all "clients" to another server)? If so, how would one issue access tokens for RS1 when it tries to access resources on RS2 and RS3 for the first time in the middle of another request (coming from APP2)? I already have AS, OPENID, APP2 and RS1, which was developed using ASP.NET MVC 3, WCF 4 and DotNetOpenAuth 4. I'm trying to introduce RS2, RS3 and APP1 into the system but struggle to figure out how authorization between the resource servers and clients will work. Everything runs under IIS 7.5 and HTTPS.
Tags
<oauth-2.0><dotnetopenauth>
Title
How would one secure multiple resource servers using OAuth 2.0?
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. This table or related slice is empty.
UserOwnerUserId
1. USbloudraak
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POHow would one secure multiple resource servers using OAuth 2.0?
 UserUserId
 USbloudraak
 VoteTypeVoteTypeId
 VTFavorite
2. VO
 singulars
 PostPostId
 POHow would one secure multiple resource servers using OAuth 2.0?
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.