Thanks, I'd kind of figured it out as one of the flows further down in the spec uses it. I'd been in a coding, spec-reading frenzy and just read over it :)
Thanks again! On Mon, May 24, 2010 at 6:05 PM, Murali <[email protected]> wrote: > 1. The valid value for secret_type in your case is hmac-sha256 > 2. It is not related to client_secret, it just instructs the > authorization server if the response should contain > access_token_secret or not. > > This is my attempt to relate it to a real world scenario (no need to > read :)) : > > A somewhat reasonable analogy might be authorization server writing a > check to the client. If the authorization server wrote a valid check > to the client and indicated that the check can be en-cashed only by > depositing then it is not enough that the client (the bearer) just has > a valid check but should also have an account (access_token_secret) to > deposit to. If there is no access_token_secret then the check can be > en-cashed by any bearer hence the bearer token. This flag secret_type > tells to the authorization server to write a check with "for deposit > only" on the back. (the only strangeness in this analogy here is that > authorization server doesn't create an account for the client like it > issues a access_token_secret, but don't go there). > > On May 23, 7:55 am, erich <[email protected]> wrote: > > Hi, > > I am working on java implementation of the web server flow for OAuth2.0. > I've made good progress so far, however there's something that's > > confusing me in the spec (v05). In section 3.6.2 "Client Requests > > Access Token" the 'client_secret' (per section 3.1) is required. My > > understanding is that this equates to say a password for the client. > > Then there's the optional 'secret_type' (as described by section > > 5.3). I am not understanding 1) the valid value for 'secret_type' 2) > > if it's related to the 'client_secret'. > > > > I've created code to make the HMAC-256 signed data called out in 5.3, > > but the 5.3 stuff seems to be about attempting to access the resource > > after you get the access token, i'm trying understand how it relates > > to 3.6.2 where the client is making the initial request for the token. > > > > -- > > You received this message because you are subscribed to the Google Groups > "OAuth" group. > > To post to this group, send email to [email protected]. > > To unsubscribe from this group, send email to > [email protected] <oauth%[email protected]>. > > For more options, visit this group athttp:// > groups.google.com/group/oauth?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "OAuth" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected] <oauth%[email protected]>. > For more options, visit this group at > http://groups.google.com/group/oauth?hl=en. > > -- Erich Oliphant "There are, in fact, two things, science and opinion, the former begets knowledge, the latter ignorance" -- Hippocrates of Cos -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
