简介
Introduction
在传统的客户端-服务器认证模型中,客户端要请求一个保存在服务器上的访问受限资源(受保护资源),需要使用资源所有者(resource owner)的凭证向服务器认证。为了让第三方应用(third-party applications)访问这些受限资源,资源所有者与第三方共享凭证,这带来了很多问题和限制:
In the traditional client-server authentication model, the client requests an access-restricted resource (protected resource) on the server by authenticating with the server using the resource owner’s credentials. In order to provide third-party applications access to restricted resources, the resource owner shares its credentials with the third party. This creates several problems and limitations:
第三方应用需要保存资源所有者的凭证以便今后使用,通常是明文的密码。
o Third-party applications are required to store the resource owner’s credentials for future use, typically a password in clear-text.服务器需要支持密码认证, 尽管密码本身存在安全弱点。
o Servers are required to support passw