Hi Sergey,
> In our case we have structured access tokens and MAC key is simply > treated as an extra token property > Since the token is opaque to the Client a key transported inside the Access Token (hopefully encrypted) can only be meant for consumption by the Resource Server. But you are right that this is an alternative to transporting the key from the Authorization Server to the Resource Server. This still leaves the question about how the Client obtains that key and, as mentioned in my other mail to Zhou, there are really only two ways to do that. Ciao Hannes > Cheers, Sergey > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
