On Thu, May 13, 2010 at 12:01 PM, Brian Eaton <[email protected]> wrote:
> On Tue, May 11, 2010 at 2:16 PM, Paul Lindner <[email protected]> > wrote: > > +beaton (for domain member question) > > I'll add some docs to the committed code. expiresAt is informational, > > isExpired() is canonical and convenient enough that I'm betting that most > > implementers will use it, and it can encompass things like a CRL, > blacklist, > > etc. depending on the implementation. > > I don't understand the need for isExpired and friends... why not just > enforce expiration checks in the security token decoding process? > I had similar questions re: isExpired, but getExpiredAt() is useful for client code determining when to refresh tokens. > > A security token arrives, is validated, and is used for a few seconds > (the duration of one user request). > > > I don't think that ContainerConfig calls can be spoofed when you're using > > BlobCrypter which guarantees against tampering. I am concerned that there > > are a number of pieces of code that iterate through all containers, this > > works for small numbers of containers, but not large populations (where a > > container == a third party site). > > So long as you get the container from the security token and not a URL > parameter, I think it's solid. > > But I don't understand what you're doing with OAuth 2 and shindig. > > Is there a design doc or a road map? >
