I agree.
Authorization servers should issue credentials (tokens) with clear semantics.
If a token is to be used with a signature, its properties should reflect it. If
a server doesn't require signatures, why waste storage and bandwidth with
secrets.
EHL
> -Original Message-
> From: oa
On Thu, Mar 25, 2010 at 7:54 PM, Ethan Jewett wrote:
> Possibly this is a silly question, but why not #2 and have the bearer
> token method (over SSL of course) include the token secret? The
> provider would always issue a token and a token secret. If the client
> is not interested in signing meth
Possibly this is a silly question, but why not #2 and have the bearer
token method (over SSL of course) include the token secret? The
provider would always issue a token and a token secret. If the client
is not interested in signing methods, it can discard the token and
keep the token secret. This
A single client could generate multiple requests simultaneously, and have
them show up out of order.
Allen
On 3/24/10 10:06 PM, "Brian Eaton" wrote:
> On Wed, Mar 24, 2010 at 9:46 PM, Luke Shepard wrote:
>> This is probably a stupid question, but why do we need accurate timestamps?
>> Why is i
On Mar 25, 2010, at 9:55 AM, Brian Eaton wrote:
> On Thu, Mar 25, 2010 at 6:09 AM, Subbu Allamaraju wrote:
>> Just curious - why can't the client check the Date header?
>
> Yes, that works, but lots of clients don't realize it is possible.
In other words, this is part of HTTP, and should not h
On Mon, Mar 22, 2010 at 1:52 PM, David Recordon wrote:
> On Mon, Mar 22, 2010 at 5:11 AM, Manger, James H
> wrote:
>> 2. STATE
>> OAuth has various parameter that are used to carry state for another party
>> in a message, which is helpful for building scalable systems. OAuth should
>> avoid dup
Thanks -- and best wishes in their new/old/continuing roles -- to all of Peter,
Hannes, and Blaine!
Eve
On 25 Mar 2010, at 11:03 AM, Peter Saint-Andre wrote:
>
>
> As you know, I have been named co-director of the Applications Area and
> therefore cannot continue serving as co-chair o
As you know, I have been named co-director of the Applications Area and
therefore cannot continue serving as co-chair of the OAuth WG. Lisa
Dusseault (outgoing AD) and I (incoming AD) decided that the best way to
ensure continuity would be to promote Hannes Tschofenig from technical
advisor to co
On 2010-03-25, at 9:55 AM, Brian Eaton wrote:
> On Thu, Mar 25, 2010 at 6:09 AM, Subbu Allamaraju wrote:
>> Just curious - why can't the client check the Date header?
>
> Yes, that works, but lots of clients don't realize it is possible.
Do all clients have access to it?
_
On Thu, Mar 25, 2010 at 6:09 AM, Subbu Allamaraju wrote:
> Just curious - why can't the client check the Date header?
Yes, that works, but lots of clients don't realize it is possible.
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/l
On Mar 25, 2010, at 9:09 AM, Subbu Allamaraju wrote:
> Just curious - why can't the client check the Date header?
It can. Once it got a failed response from the first call.
Regards,
- johnk
>
> Subbu
>
>
> On Mar 24, 2010, at 6:26 PM, Paul Lindner wrote:
>
>> Right now if a client with an
Just curious - why can't the client check the Date header?
Subbu
On Mar 24, 2010, at 6:26 PM, Paul Lindner wrote:
Right now if a client with an inaccurate clock makes an OAuth call
they are rejected. OAuth Problem Reporting includes a mechanism to
send the server's concept of 'now' to t
12 matches
Mail list logo
