> > When a token is issued, that’s when a secret should be provided if the > token is to be used with a signature. The specific mac algorithm can be > provided either with the token or at the resource endpoint (I don’t have a > strong feeling since we are only talking about symmetric secrets at this > point). > > > > I don’t think a token should be “upgraded” from bearer to a secret-enabled > using the refresh process. > > I agree. Independent of who actually decides the token type, this type > should be constant in authz and refreshment process. > > I think the resource endpoint should advertise the supported methods (e.g. > by way of a WWW-Authenticate-Header-Parameter), the client can ask the > authorization server for a specific token type incl. signature-method and > the authorization server may refuse such a request if it is unable to > provide an appropriate token type/secret. >
sure - so at the first request time, you can request. it is still possible to upgrade and download the token time during refresh (switch from non signature to signature based on the refresh)? -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
