On 08/10/2012 12:48 PM, Dick Hardt wrote:
On Aug 10, 2012, at 9:28 AM, Justin Richer wrote:
On 08/09/2012 06:47 PM, Dick Hardt wrote:
On Aug 9, 2012, at 1:08 PM, Justin Richer wrote:
With MAC, you should be able to re-use about 80-90% of your
existing codepath that's in place for Bearer, simplifying the setup
below.
That makes no sense, I would be adding MAC to the sites that support
MAC in addition to OAuth 1.0A or OAuth 2.0
You get to re-use all of the code for OAuth2 for issuing tokens (from
server side) and requesting tokens (from client side). Apart from
parsing the JSON value that's returned from the token endpoint (and
you are using a generic parser there, right?), nothing changes here.
The part where you *use* the token to access a protected resource
(client), or *validate* a request to a protected resource (server)
changes significantly, yes. But that's only a small part of the process.
That makes sense, sorry I was not clear on what I said did not make
sense, which was "simplifying the setup below"
As a client developer, adding MAC to the mix *increases* my code base
as it is yet another protocol to understand and implement against.
OAuth 1.0A and OAuth 2.0 bearer are not going to go away.
OK, I follow now. Yes, that's a fair concern for anyone who has to
support multiple protocols that aren't mutually compatible. I'm
personally hoping that OAuth2/MAC will help push out most (if not all)
of the remaining OAuth1 pieces we have here, helping is shut down at
least one of those.
-- Justin
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
