Hi James, > > So the OAuth client completes a TLS handshake with a protected resource using > a raw key, but the protected resource doesn't get any authorization for that > raw key until it sees an access_token which appear where? In an HTTP header > somewhere in the App Data some time after the TLS handshake finishes? > The access token is conveyed in the HTTP exchange (similar to what bearer does). As such, the authorization decision would be done when the resource server receives the access token.
Ciao Hannes > -- > James Manger _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
