Oops, just noticed a typo in my previous message, I meant: " The part that's puzzling me is the RFC says the client authenticates using *both* the Client Credentials and the _Temporary_ Credentials in the Token Credentials Request. I could understand one or the other, but why both? (and incidentally, how can it provide both?) Clearly the _Temporary_ Credentials identifier is needed, as it is part of the Token Credentials Request; it's only the shared secret I'm wondering about (the "oauth_token_secret" part of the reponse to the Temporary Credentials Request)."
Sorry! - Craig. From: [email protected] [mailto:[email protected]] On Behalf Of Craig Heath Sent: 02 March 2011 18:05 To: [email protected] Subject: [OAUTH-WG] RFC5849 - Purpose of Temporary Credentials Shared Secret? Hello! Can some kind soul help me understand the purpose of the shared secret part of the Temporary Credentials in RFC5849? - The client authenticates using the Cient Credentials, and gets the Temporary Credentials. - The Resource Owner gives their authorization. - The Temporary Credentials are then used in the Token Credentials Request. The part that's puzzling me is the RFC says the client authenticates using *both* the Client Credentials and the Token Credentials in the Token Credentials Request. I could understand one or the other, but why both? (and incidentally, how can it provide both?) Clearly the Token Credentials identifier is needed, as it is part of the Token Credentials Request; it's only the shared secret I'm wondering about (the "oauth_token_secret" part of the reponse to the Temporary Credentials Request). My best guess so far is that it is intended to allow for the case when the Client Credentials are not secret, but in that case why use the Client Credentials at all in the Token Credential Request? Thanks for any light shed on this! - Craig Heath.
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
