It limits the ability to exchange the token in cases where the client has no private secret, or if the client has multiple instances using the same credentials (providing an isolation between them). You need to make your own security analysis of the protocol and your needs.
EHL From: [email protected] [mailto:[email protected]] On Behalf Of Craig Heath Sent: Wednesday, March 02, 2011 12:57 PM To: [email protected] Subject: Re: [OAUTH-WG] RFC5849 - Purpose of Temporary Credentials Shared Secret? Thanks for the quick response! Can I ask a more specific question: What's the security purpose of the Temporary Credentials shared secret? If an implementation were to, say, always use an empty string, would it make any difference to the security of the protocol? - Craig. -----Original Message----- From: Eran Hammer-Lahav Sent: 02-03-2011, 8:27 pm To: Craig Heath; [email protected] Subject: RE: RFC5849 - Purpose of Temporary Credentials Shared Secret? Because it uses the same method of making authenticated requests as everything else. It's just a result of pushing everything through a single function. EHL From: [email protected] [mailto:[email protected]] On Behalf Of Craig Heath Sent: Wednesday, March 02, 2011 10:05 AM To: [email protected] Subject: [OAUTH-WG] RFC5849 - Purpose of Temporary Credentials Shared Secret? Hello! Can some kind soul help me understand the purpose of the shared secret part of the Temporary Credentials in RFC5849? - The client authenticates using the Cient Credentials, and gets the Temporary Credentials. - The Resource Owner gives their authorization. - The Temporary Credentials are then used in the Token Credentials Request. The part that's puzzling me is the RFC says the client authenticates using *both* the Client Credentials and the Token Credentials in the Token Credentials Request. I could understand one or the other, but why both? (and incidentally, how can it provide both?) Clearly the Token Credentials identifier is needed, as it is part of the Token Credentials Request; it's only the shared secret I'm wondering about (the "oauth_token_secret" part of the reponse to the Temporary Credentials Request). My best guess so far is that it is intended to allow for the case when the Client Credentials are not secret, but in that case why use the Client Credentials at all in the Token Credential Request? Thanks for any light shed on this! - Craig Heath.
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
