Section 7 of OAuth Core directs us to 'sign' the requests even after we have received a granted access token. This signing ensures security with each request made to the SP.
We have a case for implementing OAuth Consumers on mobile devices and the signing of each request to access protected resources could be costly, considering the sparse resources on the device. Can there be a way around this to not sign request every time and once we have an authorized access token, send it as is for future retrieval of protected resources? We understand that replay attacks are possible if we don't follow the unique nonce and timestamp constraints (Section 8) but we don't want the replay attacks either :) We also looked at OAuth Session extension, but again each request has to be signed in order to fetch protected content. Thanks, Monis Iqbal --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
