On Thu, Feb 18, 2010 at 9:56 PM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: > But isn't the bearer token itself a sort of plain text secret?
Yes, it is. The WRAP access token is short-lived, which mitigates some of the risks. Also note that servers do not need to store access tokens at all. The WRAP refresh token is long-lived, but it does not need to be stored in plain-text on the server. You don't end up creating massive databases of credentials server-side. (Clients that hold lots of refresh tokens still need them in plain text, unfortunately.) The WRAP refresh token only needs to be accessible to a limited number of systems. So you can use that to improve the client-side security. There are WRAP profiles that leverage existing trust relationships to eliminate the need for refresh tokens entirely. Cheers, Brian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
