would your proposal allow to issue and use HMAC Verification Keys in the
same way as the "old" token secrets, i.e. an AS would issue such keys
along with tokens to the OAuth client? A special key id could be used to
indicate this scenario.
regards,
Torsten.
Am 21.06.2010 09:04, schrieb Dirk Balfanz:
Hi guys,
I think I owe the list a proposal for signatures.
I wrote something down that liberally borrows ideas from Magic
Signatures
<http://salmon-protocol.googlecode.com/svn/trunk/draft-panzer-magicsig-00.html>,
SWT <http://groups.google.com/group/WRAP-WG/files>, and (even the name
from) JSON Web Tokens
<https://groups.google.com/group/WRAP-WG/browse_thread/thread/a99369c4b74d4cd0#>.
Here is a short document (called "JSON Tokens") that just explains how
to sign something and verify the signature:
http://docs.google.com/document/pub?id=1kv6Oz_HRnWa0DaJx_SQ5Qlk_yqs_7zNAm75-FmKwNo4
Here is an extension of JSON Tokens that can be used for signed OAuth
tokens:
http://docs.google.com/document/pub?id=1JUn3Twd9nXwFDgi-fTKl-unDG_ndyowTZW8OWX9HOUU
Here is a different extension of JSON Tokens that can be used for
2-legged flows. The idea is that this could be used as a drop-in
replacement for SAML assertions in the OAuth2 assertion flow:
http://docs.google.com/document/pub?id=1s4kjRS9P0frG0ulhgP3He01ONlxeTwkFQV_pCoOowzc
I also have started to write some code
<http://code.google.com/p/jsontoken/source/browse/#svn/trunk/src/main/java/net/oauth/signatures>
to implement this as a proof-of-concept.
Thoughts? Comments?
Dirk.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
