>
> When a token is issued, that’s when a secret should be provided if the
> token is to be used with a signature. The specific mac algorithm can be
> provided either with the token or at the resource endpoint (I don’t have a
> strong feeling since we are only talking about symmetric secrets at this
> point).
>
>
>
> I don’t think a token should be “upgraded” from bearer to a secret-enabled
> using the refresh process.
>
> I agree. Independent of who actually decides the token type, this type
> should be constant in authz and refreshment process.
>
> I think the resource endpoint should advertise the supported methods (e.g.
> by way of a WWW-Authenticate-Header-Parameter), the client can ask the
> authorization server for a specific token type incl. signature-method and
> the authorization server may refuse such a request if it is unable to
> provide an appropriate token type/secret.
>

sure - so at the first request time, you can request.  it is still possible
to upgrade and download the token time during refresh (switch from non
signature to signature based on the refresh)?

-- 
Raffi Krikorian
Twitter Platform Team
http://twitter.com/raffi
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to