Hi All - Regarding the client secret - one of the design goals for OAuth-WRAP was to cleanly separate the AuthZ server from the Protected Resource. The Protected Resource should only have to know how to validate Access Tokens issued by its AuthZ server.
The HMAC-SHA1 signature method defined in 4.2.1.1 of the Oauth 2.0 spec violates this principle because it requires the protected resource to have the client secret in order to validate the signature. Distributing the client secret to all Protected Resources can have negative security and performance implications. http://www.ietf.org/mail-archive/web/oauth/current/msg01396.html#compute_sig I recommend removing the client secret from the signature calculation, and instead using only the Access Token secret. Allen _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
