I agree that there should be mitigation controls in place on web server
clients:
it would alleviate Authz Server task of blocking fraudulent traffic and make
the whole solution more scalable. Using signatures looks like a good idea, but
key distribution needs to be automated in this case.
Her
Thanks, Oleg, for the note.
I agree that key distribution has been a difficult problem. Since the
OAuth draft 10 section 2.1 provides a mechanism for the client to
authenticate to the Authz Server using some shared symmetric secret, I
think the MAC scheme can be built on the presumably available s
