I am looking at implementing OAuth Service Provider that only supports communicatiion using HTTPS. The OAuth specification allows me to use PLAINTEXT signature method. I am thinking it should be good fit for my purposes.
I have 2 questions (a) My understading is that I should be able to use PLAINTEXT without compromising security as long as stick with HTTPS. Is my understanding right? (b) I do not see any use of nonce and timestamp since there is no real signing of request or real threat of Man in the middle or replay attacks. Would I be compromising security if I do not keep track of nonce and timestamp? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
