Share via

3.1.1 Abstract Data Model

  • Article

This section describes a conceptual model of possible data organization that an implementation maintains to participate in this protocol. The described organization is provided to facilitate the explanation of how the protocol behaves. This document does not mandate that implementations adhere to this model as long as their external behavior is consistent with that described in this document.

The client role is expected to be aware of the relying party or resource identifier of the resource server if it requests authorization for a particular resource. See [MS-OAPX] section 3.2.5.2.1.1 for information about the resource parameter.

The following elements are defined by this protocol:

Client Identifier: An identifier, represented as a string, that uniquely identifies the client to the server.

Nonce: An opaque, base64-encoded value that is provided by the server and used in requests for a primary refresh token.

Primary Refresh Token: A refresh token that the client can exchange for access tokens from the server.

Session Key: A key used to sign access token requests and decrypt access token responses. The client receives this key from the server in the response that is described in section 3.1.5.1.2.2. This key MUST be stored in a secure manner.

Device Certificate: An X.509 certificate that represents the device on which the client runs. The client MUST have access to the private key. The altSecurityIdentities attribute of an msDS-Device object in Active Directory is used to store and access the public portion of the certificate.

Session Transport Key: A key used to decrypt the session key. The msDS-KeyCredentialLink attribute of an msDS-Device object in Active Directory is used to store and access the key. The msDS-Device object MUST be the same object in Active Directory that contains the public portion of the Device Certificate.

User Authentication Key: A key used to authenticate an end user. The msDS-KeyCredentialLink attribute of a user object in Active Directory is used to store and access the public portion of the key.