Hi Zhou, here is the story.
The Authorization Server gives an Access Token to the Client and the client presents that Access Token to Resource Servers. This has not changed in comparison to Bearer Tokens. However, in addition to just presenting the Access Token by the Client to the Resource Server the Client also needs to compute a keyed message digest on the access request to the protected resource. It needs a key to compute the keyed message digest. This key, called MAC key, is provided by the Authorization Server together with the Access Token. What is not said in the document is how the Resource Server obtains the MAC key from the Authorization Server. It is assumed to be shared somehow. Hope that makes more sense. Ciao Hannes On Sep 10, 2012, at 10:57 AM, [email protected] wrote: > > Hi, > > I have a question concerning draft-ietf-oauth-v2-http-mac-01: > The propose is that Client obtains MAC credentials (i.e., MAC keys) from > Resource Server first, then Client genertate MAC access token using MAC keys, > and send MAC access token to RS, RS recalculates MAC access token to verify > the validity, right? > But in Section 5.1 it says the Authorization server issues the MAC access > token. > I am totally lost, > if AS to issue MAC access token, then for RS to verify, the MAC key > should be shared between AS and RS, Client don't have to know them; > if RS to issue MAC access token, then it is not conforming to OAuth 2.0 > framework. > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
