Dick Hardt wrote:
...
If there is a secure channel between the Client and the PR, and the token is
only accepted at one Client. What other advantages are there to the Client
signing that you don't get from a bearer token?
...
The secure channel can only protect a session, not the data that need to
be re-used later.
The secure channel only delivers a request (or a token). But there is no
proof of authentication (or the means for non-repudiation) in the token
itself, unless the whole session has been recorded (and the key for it
has been stored).
Igor
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
