The problem is that the token has no state about the transaction.  Is the 
transaction already determined when the token is issued?  If so then put the 
transaction dat ain the token and make it non-repeatable.

If this is an auth token for an arbitrary single action you have to put some 
form of replay protection on the protected resource, or you can immediately 
revoke the token after use against a revocation API and make sure the RP is 
checking for revoked tokens against the same API/endpoint.  You do have a race 
here, so you have to sort out what you'll make synchronous calls against for 
this.

Regards,

-bill



________________________________
From: Declan Newman <[email protected]>
To: [email protected]
Cc: Will Simpson <[email protected]>; Geoffrey Bilder 
<[email protected]>
Sent: Tuesday, November 8, 2011 1:58 AM
Subject: [OAUTH-WG] Single transaction token


Hello,

We're currently implementing OAuth 2 provider for a client, whom needs to have 
the facility to authenticate/authorise a client to update in a single 
transaction.

Is there a way to specify the validity of a token on a per-transaction basis, 
as opposed to a timeframe?

Any help much appreciated.

Regards,

Dec


----------------------------------------------------------------------------
Declan Newman, Development Team Leader,
Semantico, Floor 1, 21-23 Dyke Road, Brighton BN1 3FE
<mailto:[email protected]>
<tel:+44-1273-358247> 

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to