Hi,
Amos,
I believe that the draft addresses the replay matters by specifying
the validity time field. Do you see a problem with that?
I did not see any such validity time field in the HTTP mechanisms.
You mean the validity period of the token itself? that would be
irrelevant as the case I am raising is for software which does not
support Bearer specs.
Even if the software is not aware of the bearer spec, a token that
becomes invalid after a certain time span cannot sucessfully be replayed
any longer.
general note: I do not understand why caching proxies should impose a
problem in case TLS is used (end2end). Could you please explain?
regards,
Torsten.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
