Hi,
I have a question concerning draft-ietf-oauth-v2-http-mac-01:
The propose is that Client obtains MAC credentials (i.e., MAC keys) from
Resource Server first, then Client genertate MAC access token using MAC
keys, and send MAC access token to RS, RS recalculates MAC access token to
verify the validity, right?
But in Section 5.1 it says the Authorization server issues the MAC
access token.
I am totally lost,
if AS to issue MAC access token, then for RS to verify, the MAC key
should be shared between AS and RS, Client don't have to know them;
if RS to issue MAC access token, then it is not conforming to OAuth
2.0 framework.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
