Eran,
- Authentication schemes
You propose to use the authentication scheme name "OAuth2" for the
WWW-Authenticate header but another scheme name "MAC" for the
authorization header. I've never seen such an asymmetric approach
before. Don't you think people get confused about that? Moreover, the
bearer draft also uses the name "OAuth2" in the authorization header.
Why this difference? Why don't you just add some parameters to the
"OAuth2" scheme?
- 6.3. Spoofing by Counterfeit Servers
The protocol does not support server authentication
but it should prevent token abuse by the Counterfeit
server, shouldn't it?
regards,
Torsten.
Am 09.01.2011 18:18, schrieb Eran Hammer-Lahav:
http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token
Feedback appreciated, especially for section 3.2.1 (the new normalized
request string) which is an attempt to take the HMAC-SHA1 flow from
1.0a and simplify it.
No body signature support yet, but will add that in -01.
EHL
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
