Why do you need to change the cryptographic properties of a token during refresh?
EHL From: Raffi Krikorian [mailto:ra...@twitter.com] Sent: Friday, March 26, 2010 10:46 AM To: Torsten Lodderstedt Cc: Eran Hammer-Lahav; oa...@core3.amsl.com; WG Subject: Re: [OAUTH-WG] Thinking about our secrets for signatures When a token is issued, that's when a secret should be provided if the token is to be used with a signature. The specific mac algorithm can be provided either with the token or at the resource endpoint (I don't have a strong feeling since we are only talking about symmetric secrets at this point). I don't think a token should be "upgraded" from bearer to a secret-enabled using the refresh process. I agree. Independent of who actually decides the token type, this type should be constant in authz and refreshment process. I think the resource endpoint should advertise the supported methods (e.g. by way of a WWW-Authenticate-Header-Parameter), the client can ask the authorization server for a specific token type incl. signature-method and the authorization server may refuse such a request if it is unable to provide an appropriate token type/secret. sure - so at the first request time, you can request. it is still possible to upgrade and download the token time during refresh (switch from non signature to signature based on the refresh)? -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
