The problem is that the token has no state about the transaction. Is the
transaction already determined when the token is issued? If so then put the
transaction dat ain the token and make it non-repeatable.
If this is an auth token for an arbitrary single action you have to put some
form of replay protection on the protected resource, or you can immediately
revoke the token after use against a revocation API and make sure the RP is
checking for revoked tokens against the same API/endpoint. You do have a race
here, so you have to sort out what you'll make synchronous calls against for
this.
Regards,
-bill
________________________________
From: Declan Newman <[email protected]>
To: [email protected]
Cc: Will Simpson <[email protected]>; Geoffrey Bilder
<[email protected]>
Sent: Tuesday, November 8, 2011 1:58 AM
Subject: [OAUTH-WG] Single transaction token
Hello,
We're currently implementing OAuth 2 provider for a client, whom needs to have
the facility to authenticate/authorise a client to update in a single
transaction.
Is there a way to specify the validity of a token on a per-transaction basis,
as opposed to a timeframe?
Any help much appreciated.
Regards,
Dec
----------------------------------------------------------------------------
Declan Newman, Development Team Leader,
Semantico, Floor 1, 21-23 Dyke Road, Brighton BN1 3FE
<mailto:[email protected]>
<tel:+44-1273-358247>
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth