Am 14.07.2010 23:52, schrieb Brian Eaton:
On Wed, Jul 14, 2010 at 2:48 PM, Torsten Lodderstedt
<[email protected]> wrote:
Yepp. That's an optimization of use case 2. That way the authz server does
not need to store the authorization transaction's results in a database and
there is no need to perform a a second request.
The authorization server doesn't need to store the transaction results
in a database regardless, the authorization code can be a signed
message.
That's an indeed option. But then the whole data is transported twice
between authz server and client.
The second request (as you pointed out in your original mail) is
currently used to verify the client identity. Do you have a
suggestion for an alternate mechanism?
A digital signature over the authz request? Alternatively, the authz
server could encrypt the authz response.
regards,
Torsten.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
