On Fri, Jun 10, 2011 at 10:51 AM, Adam Barth <i...@adambarth.com> wrote: > On Fri, Jun 10, 2011 at 10:42 AM, Robert Sayre <say...@gmail.com> wrote: >> Let's call my proposed addition the "opaque" parameter. The client >> sends it back unchanged, just like the id. > > That already exists in the scheme. It's just the value of the cookie. > >> This is just one use of an opaque field that servers might want to >> try. I suppose this data could get stuffed into the SID too. Is that >> the idea? > > Yep.
OK, this is all much clearer. Could the draft include these explanations and examples? It seems like the draft is obfuscated right now. Why not just plainly state something similar to "This mechanism really just adds a little more security to session cookies." in the introduction? I hope it isn't because of HTTP religion or something like that. - Rob _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
