I'm trying to formal verify the OAuth 2.0 draft 16 protocol.
I want to try OAuth 2.0 with hmac token type ().
In the "Authorization Code" mode i have the response token as this:
- access_token: [access_token]
- token_type: mac
- mac_key: buabuabua
- mac_algorithm: hmac-sha-256
The access_token is calculated with hmac(client_id || authorization_code,
secret). right?
Now there is my problem. I want to access to a resource controlled by a
resource owner. Do i need to do this
GET /resource/1 HTTP/1.1
Host: example.com
Authorization: MAC id = [access_token provided in the first pass]
nonce = "274312:dj83hs92"
mac = "ASDDFGDFGDG"
with mac calculated with hmac(nonce || GET || url || host || access_token,
secret)
?
I don't undestand. There is too much confusion from this:
http://tools.ietf.org/html/draft-ietf-oauth-v2-16#section-7.1 and this
http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-00#section-1.2
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
