- If the request is valid, the Authorization Server attempts - to Authenticate the End-User or determines whether the End-User is Authenticated, - depending upon the request parameter values used. - The methods used by the Authorization Server to Authenticate the End-User - (e.g. username and password, session cookies, etc.) - are beyond the scope of this specification. - An Authentication user interface MAY be displayed by - the Authorization Server, depending upon the request parameter values used - and the authentication methods used. + 若请求是有效的, 则授权服务器(Authorization Server)将根据请求所包括的参数值尝试 + 验证最终用户(End-User)或决定最终用户(End-User)是否是已验证的. + 至于授权服务器(Authorization Server)采用什么方式来认证最终用户(如账号与密码, session cookies 等) + 已经超出本协议规范的范围. + 根据使用的请求参数值与使用的认证方式, 一个验证用户接口(interface) + 也许(MAY)被授权服务器(Authorization Server)对外开放.
-The Authorization Server MUST attempt to Authenticate the - End-User in the following cases: -
-- -
- -The Authorization Server MUST NOT interact with the End-User - in the following case: + 在下列情况中,授权服务器(Authorization Server)必须(MUST)对 + 最终用户进行认证:
@@ -2613,13 +2598,29 @@
- When interacting with the End-User, - the Authorization Server MUST employ appropriate measures against - Cross-Site Request Forgery and Clickjacking as, described in - Sections 10.12 and 10.13 of OAuth + 在下列情况中,授权服务器(Authorization Server)必须不能(MUST NOT)与 + 最终用户(End-User)进行交互(interact): +
++ +
+ ++ 当与最终用户(End-User)进行交互(interacting)时, + 授权服务器(Authorization Server)必须(MUST)对 + 跨站伪造请求(Cross-Site Request Forgery)与点击劫持(Clickjacking)采取适当的措施, + 关于这部分的描述请参考 OAuth 2.0 (Hardt, D., “The OAuth 2.0 Authorization Framework,” October 2012.) - [RFC6749]. + [RFC6749] 中10.12 与 10.13 章节.