Hannes Tschofenig <[email protected]> writes:
> Hi Zhou,
>
> here is the story.
>
> The Authorization Server gives an Access Token to the Client and the client
> presents that Access Token to Resource Servers.
> This has not changed in comparison to Bearer Tokens.
>
> However, in addition to just presenting the Access Token by the Client to the
> Resource Server the Client also needs to compute a keyed message digest on
> the access request to the protected resource.
>
> It needs a key to compute the keyed message digest.
>
> This key, called MAC key, is provided by the Authorization Server together
> with the Access Token.
>
> What is not said in the document is how the Resource Server obtains the MAC
> key from the Authorization Server. It is assumed to be shared somehow.
It could even, theoretically, be included in the Access Token!
> Hope that makes more sense.
>
> Ciao
> Hannes
-derek
--
Derek Atkins 617-623-3745
[email protected] www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
