On Thu, Sep 18, 2008 at 9:45 PM, xin zhang <[EMAIL PROTECTED]> wrote:
> Hi,
>
> Can someone explain to me how service provider verify the signed request
> from consumer using public key? What is the purpose of private key on
> consumer side?
The method for verifying an RSA signature ("public key") is descscribed in
the specification, which in turn comes from the OAuth spec.
I'm not sure I understand your second question. The private key is used to
sign RSA requests. For HMAC requests, there is a secret shared between the
container and the service provider.
HMAC is the preferred signing mechanism, though it does require storage of
secrets somewhere.
>
> Thanks
>
> Xin
>
>
>
>
