> It could even, theoretically, be included in the Access Token! It certainly could, this is the simplest form of holder of key in fact.
________________________________ From: Derek Atkins <[email protected]> To: Hannes Tschofenig <[email protected]> Cc: "[email protected]" <[email protected]> Sent: Monday, September 10, 2012 6:14 AM Subject: Re: [OAUTH-WG] A question on draft-ietf-oauth-v2-http-mac-01 Hannes Tschofenig <[email protected]> writes: > Hi Zhou, > > here is the story. > > The Authorization Server gives an Access Token to the Client and the client > presents that Access Token to Resource Servers. > This has not changed in comparison to Bearer Tokens. > > However, in addition to just presenting the Access Token by the Client to the > Resource Server the Client also needs to compute a keyed message digest on > the access request to the protected resource. > > It needs a key to compute the keyed message digest. > > This key, called MAC key, is provided by the Authorization Server together > with the Access Token. > > What is not said in the document is how the Resource Server obtains the MAC > key from the Authorization Server. It is assumed to be shared somehow. It could even, theoretically, be included in the Access Token! > Hope that makes more sense. > > Ciao > Hannes -derek -- Derek Atkins 617-623-3745 [email protected] www.ihtfp.com Computer and Internet Security Consultant _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
