If a client intends to access protected resources of a user on a server side, the client has to use the identity credentials of the user, such as, the name of the user and the password. If a client of the third party also wants to access the protected resources of the user on the server side, it is necessary to provide the identity credentials of the user for the client of the third party. As such, there exist huge potential safety hazards.
In order to solve the abovementioned problem, an Open Auth (OAuth) protocol is provided, which is a safe, open and simple standard for authorization of users' resources. The OAuth protocol employs an intermediate layer to separate a client from an authorization procedure of a user. A client of the third party may apply for authorization and obtain resources from the user without reaching the credential information of the user. The OAuth protocol defines four roles including a resources owner, a client, a resources server and an authorization server. The resources owner is a user who owns resources and may authorize a client to access its resources. The client is a client program which accesses protected resources. The resources server is a server which stores the resources of the resources owner and can be accessed by the client only after the client is authorized by the resources owner. The authorization server is responsible for generating an access token and sending the same to the client after receiving the credentials of the user from the resources owner.
By the OAuth protocol, the client of the third party may access the protected resources of the user on the side of the resources server after obtaining the authorization from the user. However, the OAuth protocol is a unidirectional authorization protocol and only allows a client of the third party to request a unidirectional authorization for the resources server. It does not allow a client to request an authorization for a resources server of the third party. By way of example, when the client is a microblog while the client of the third party is a blog, the resources server stores protected microblog information of the user and a resources server of the third party stores protected blog information of the user. The blog client can access the microblog information on the side of the resources server after obtaining authorization from the resources owner. The micoblog client, however, cannot access the blog information on the side of the resources server of the third party.