i believe in normal operation an application will choose once, and be done
-- they will either signal that they want to use tokens under SSL, or use
signatures.  the only concern i have is if an application decides at a later
date that they would like to use a signature mechanism (or visa versa) they
they should have an upgrade path (otherwise they would have to deprecate
their tokens and re-authorize their users?).  its a (albeit remote)
possibility for web based operations, and i doubt that we'll ever see a
native application doing that.

On Fri, Mar 26, 2010 at 11:46 AM, Eran Hammer-Lahav <[email protected]>wrote:

> Why do you need to change the cryptographic properties of a token during
> refresh?
>
>
>
> EHL
>
>
>
> *From:* Raffi Krikorian [mailto:[email protected]]
> *Sent:* Friday, March 26, 2010 10:46 AM
> *To:* Torsten Lodderstedt
> *Cc:* Eran Hammer-Lahav; [email protected]; WG
>
> *Subject:* Re: [OAUTH-WG] Thinking about our secrets for signatures
>
>
>
> When a token is issued, that’s when a secret should be provided if the
> token is to be used with a signature. The specific mac algorithm can be
> provided either with the token or at the resource endpoint (I don’t have a
> strong feeling since we are only talking about symmetric secrets at this
> point).
>
>
>
> I don’t think a token should be “upgraded” from bearer to a secret-enabled
> using the refresh process.
>
> I agree. Independent of who actually decides the token type, this type
> should be constant in authz and refreshment process.
>
> I think the resource endpoint should advertise the supported methods (e.g.
> by way of a WWW-Authenticate-Header-Parameter), the client can ask the
> authorization server for a specific token type incl. signature-method and
> the authorization server may refuse such a request if it is unable to
> provide an appropriate token type/secret.
>
>
>
> sure - so at the first request time, you can request.  it is still possible
> to upgrade and download the token time during refresh (switch from non
> signature to signature based on the refresh)?
>
>
>
> --
> Raffi Krikorian
> Twitter Platform Team
> http://twitter.com/raffi
>



-- 
Raffi Krikorian
Twitter Platform Team
http://twitter.com/raffi
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to