Hi Brian,
On Thu, Feb 18, 2010 at 9:56 PM, Eran Hammer-Lahav<e...@hueniverse.com> wrote:
But isn't the bearer token itself a sort of plain text secret?
Yes, it is.
The WRAP access token is short-lived, which mitigates some of the
risks. Also note that servers do not need to store access tokens at
all.
The WRAP refresh token is long-lived, but it does not need to be
stored in plain-text on the server. You don't end up creating massive
databases of credentials server-side. (Clients that hold lots of
refresh tokens still need them in plain text, unfortunately.)
The WRAP refresh token only needs to be accessible to a limited number
of systems. So you can use that to improve the client-side security.
There are WRAP profiles that leverage existing trust relationships to
eliminate the need for refresh tokens entirely.
Is this the point where OpenID and OAuth converge?
regards,
Torsten.
Cheers,
Brian
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
