Hi Zhou, On Sep 10, 2012, at 11:46 AM, [email protected] wrote:
> > Hi, Hannes, > Thank you for the clarity. > Yes, it makes sense. > Then http-mac and hot-sk are quite similar. Why do redundant work? > Even though the two solutions fall in the same category does not mean that they are equal. There are actually quite substantial differences between the two. However, they are just contributions to make progress in the discussions and we have not yet decided what to standardize. For that reason the requirements document was published recently. Ciao Hannes > > Hannes Tschofenig <[email protected]> 写于 2012-09-10 16:06:34: > > > Hi Zhou, > > > > here is the story. > > > > The Authorization Server gives an Access Token to the Client and the > > client presents that Access Token to Resource Servers. > > This has not changed in comparison to Bearer Tokens. > > > > However, in addition to just presenting the Access Token by the > > Client to the Resource Server the Client also needs to compute a > > keyed message digest on the access request to the protected resource. > > > > It needs a key to compute the keyed message digest. > > > > This key, called MAC key, is provided by the Authorization Server > > together with the Access Token. > > > > What is not said in the document is how the Resource Server obtains > > the MAC key from the Authorization Server. It is assumed to be shared > > somehow. > > > > Hope that makes more sense. > > > > Ciao > > Hannes > > > > > > On Sep 10, 2012, at 10:57 AM, [email protected] wrote: > > > > > > > > Hi, > > > > > > I have a question concerning draft-ietf-oauth-v2-http-mac-01: > > > The propose is that Client obtains MAC credentials (i.e., MAC > > keys) from Resource Server first, then Client genertate MAC access > > token using MAC keys, and send MAC access token to RS, RS > > recalculates MAC access token to verify the validity, right? > > > But in Section 5.1 it says the Authorization server issues the > > MAC access token. > > > I am totally lost, > > > if AS to issue MAC access token, then for RS to verify, the > > MAC key should be shared between AS and RS, Client don't have to know them; > > > if RS to issue MAC access token, then it is not conforming to > > OAuth 2.0 framework. > > > > > > > > > _______________________________________________ > > > OAuth mailing list > > > [email protected] > > > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
