>> How does the server know if a particular request with a "Authorization: MAC >> ..." header is using credentials from OAuth 2.0 or from Set-Cookie?
> This should be pretty easy to resolve with a common-sense deployment and key > identifiers. You are right, Eran. Though putting a cookie-name in a key id field is a bit hacky, in practice a server can work this out with a little bit of code, perhaps a little config, and a little bit of sense choosing names. I withdraw my suggestion for using the cookie-value as the key id. -- James Manger _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
