I'm defining a new token type: MAC based on my previous HTTP Token authentication draft (which in turn was based on 1.0a HMAC-SHA1). This is being drafted and implemented in my current project (in node.js). I will have a draft to share shortly (I do not plan to make this a WG item, but will not object if the group wants to).
When issuing a token, the authorization server needs to provide two additional attributes: - mac algorithm (hmac-sha1 and hmac-sha256 will be defined) - secret I have two options; extend the token response by registering: 1. Type specific parameters: 'mac_algorithm' and 'token_secret' 2. Generic parameter: 'attributes' with some form of key-value pairs I prefer #1 because it is much simpler. However, #2 is cleaner and better if we end up with a lot of token types. So I'm going with #1 but open to other suggestions and feedback. EHL _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
