On Sun, May 30, 2010 at 11:55 AM, Torsten Lodderstedt <tors...@lodderstedt.net> wrote: > Regarding client secrets: One of the major obstacles when using OAuth 1.0 in > large deployments is the need for sharing client secrets between authz > server and resource server. Overcoming that obstacle was an important > requirement for OAuth2 from the beginning, expressed by a lot of people.
There are actually a bunch of fundamentally conflicting requirements for signatures from the various folks contributing to this working group. - no shared secrets with protected resources at all - no permanent shared secrets with protected resources - no shared secrets with clients - allow access tokens to be used by multiple clients without sharing consumer secrets - don't allow access tokens to be shared by multiple clients - don't use public key, because it's slow - use public key, because it makes key distribution easier - don't use cryptography at all, because it's too complicated - don't use bearer tokens at all, because they might leak - keep access tokens short - encode lots of information in the access token I'm sure I'm forgetting some. For the record, I think *every single one* of those requirements makes sense in certain contexts. I'm pretty sure we're going to be able to agree on the cryptographic primitives without too much trouble. But we're going to have to split out profiles to deal with the different key distribution challenges. Cheers, Brian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
