It boils down to whatever parameter we add to request a token type being also 
available when refreshing a token. I am not sure there is a real justification 
for that, but I can go either way.

Anyone else with use cases for this?

EHL

From: Raffi Krikorian [mailto:[email protected]]
Sent: Friday, March 26, 2010 11:50 AM
To: Eran Hammer-Lahav
Cc: WG
Subject: Re: [OAUTH-WG] Thinking about our secrets for signatures

i believe in normal operation an application will choose once, and be done -- 
they will either signal that they want to use tokens under SSL, or use 
signatures.  the only concern i have is if an application decides at a later 
date that they would like to use a signature mechanism (or visa versa) they 
they should have an upgrade path (otherwise they would have to deprecate their 
tokens and re-authorize their users?).  its a (albeit remote) possibility for 
web based operations, and i doubt that we'll ever see a native application 
doing that.

On Fri, Mar 26, 2010 at 11:46 AM, Eran Hammer-Lahav 
<[email protected]<mailto:[email protected]>> wrote:
Why do you need to change the cryptographic properties of a token during 
refresh?

EHL

From: Raffi Krikorian [mailto:[email protected]<mailto:[email protected]>]
Sent: Friday, March 26, 2010 10:46 AM
To: Torsten Lodderstedt
Cc: Eran Hammer-Lahav; [email protected]<mailto:[email protected]>; WG

Subject: Re: [OAUTH-WG] Thinking about our secrets for signatures

When a token is issued, that's when a secret should be provided if the token is 
to be used with a signature. The specific mac algorithm can be provided either 
with the token or at the resource endpoint (I don't have a strong feeling since 
we are only talking about symmetric secrets at this point).

I don't think a token should be "upgraded" from bearer to a secret-enabled 
using the refresh process.
I agree. Independent of who actually decides the token type, this type should 
be constant in authz and refreshment process.

I think the resource endpoint should advertise the supported methods (e.g. by 
way of a WWW-Authenticate-Header-Parameter), the client can ask the 
authorization server for a specific token type incl. signature-method and the 
authorization server may refuse such a request if it is unable to provide an 
appropriate token type/secret.

sure - so at the first request time, you can request.  it is still possible to 
upgrade and download the token time during refresh (switch from non signature 
to signature based on the refresh)?

--
Raffi Krikorian
Twitter Platform Team
http://twitter.com/raffi



--
Raffi Krikorian
Twitter Platform Team
http://twitter.com/raffi
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to