To understand your thinking a little more, Eran, as a not-hypothetical thought
experiment, how would you recommend that people specify JSON Web Tokens (JWTs)
in a parallel manner to your description below of using the MAC token type?
Would they use a token_type=JWT parameter to specify the token type? How would
you see this relating to the mac_algorithm, token_secret, and attributes
parameters below?
Thanks,
-- Mike
P.S. I described JWTs at http://self-issued.info/?p=349. A new draft
incorporating the consensus decisions reached at IIW will be published shortly.
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of Eran
Hammer-Lahav
Sent: Thursday, December 02, 2010 1:04 PM
To: OAuth WG
Subject: [OAUTH-WG] Bikeshedding poll: 'attributes' parameter vs. attributes
parameters
I'm defining a new token type: MAC based on my previous HTTP Token
authentication draft (which in turn was based on 1.0a HMAC-SHA1). This is being
drafted and implemented in my current project (in node.js). I will have a draft
to share shortly (I do not plan to make this a WG item, but will not object if
the group wants to).
When issuing a token, the authorization server needs to provide two additional
attributes:
- mac algorithm (hmac-sha1 and hmac-sha256 will be defined)
- secret
I have two options; extend the token response by registering:
1. Type specific parameters: 'mac_algorithm' and 'token_secret'
2. Generic parameter: 'attributes' with some form of key-value pairs
I prefer #1 because it is much simpler. However, #2 is cleaner and better if we
end up with a lot of token types.
So I'm going with #1 but open to other suggestions and feedback.
EHL
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
