> -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Manger, James H > Sent: Tuesday, June 14, 2011 7:06 PM > To: oauth > Subject: Re: [OAUTH-WG] FW: MAC: Cookie name or value as MAC key id > > >>> Perhaps omitting the id parameter from the Authorization header > >>> would be an even better approach [when a cookie provides the key id] > > >> Yeah, I've often wondered whether we should remove the id parameter > >> from the Authorization header. My understanding is that it plays > >> some important role in the OAuth instantiation of the protocol. > >> There's also the question about what to do when you have multiple > >> cookies with MAC attributes. In that case, having the id to disambiguate > seems useful. > > > With OAuth 2.0, the id is the access token. With cookies, it makes it clear > which MAC cookie is > > being used. It's required. > > How does the server know if a particular request with a "Authorization: MAC > ..." header is using credentials from OAuth 2.0 or from Set-Cookie?
This should be pretty easy to resolve with a common-sense deployment and key identifiers. > P.S. id=<cookie-name> is not ideal for indicating which MAC cookie is being > used as there can be multiple cookies with the same cookie-name (eg set > from sibling domains). I'll let Adam answer that. EHL > -- > James Manger > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
