Marius,
> If the protected resource sends a redirect instead of serving the
> resource then probably it knows what it is doing.
Sure, the server knows what it is doing. However it is completely legitimate
for a server to knowingly redirect to an external site, to a site configured by
a user, to
Hi James,
On Mon, May 10, 2010 at 5:36 PM, Manger, James H
wrote:
> Marius,
>
>> But then again, how does the client end up making a request to
> the wrong site?
>
> The client follows a redirect or link. It doesn't know if the ultimate source
> of the new URI was the resource server’s internal
Marius,
> But then again, how does the client end up making a request to
the wrong site?
The client follows a redirect or link. It doesn't know if the ultimate source
of the new URI was the resource server’s internal logic, user-generated
content, or a parameter in the request URI (eg an open r
On Mon, May 10, 2010 at 4:46 PM, Manger, James H
wrote:
> Marius,
>
>> As a side note, I was thinking more about the suggested "sites"
>> parameter. In practice that sites where an access token can be used is
>> limited to what protected resources can decrypt or verify the token.
>> An access toke
Marius,
> As a side note, I was thinking more about the suggested "sites"
> parameter. In practice that sites where an access token can be used is
> limited to what protected resources can decrypt or verify the token.
> An access token cannot be really used at the wrong site. A "sites"
> parameter
Hi James,
I was suggesting a transparent token format in general, SWT was just
an example. Yes, SWT does have a few problems:
- symmetric key encryption
- URL encoded name/value pairs as format
It can be easily extended to support public key crypto, but this will
help only key management between
David & Marius,
> Using SWT for your access tokens seems like a reasonable way to resolve this
> for servers which care.
SWT is completely the wrong solution for this issue, if I understand it
correctly.
I haven’t followed the SWT work much, but my understanding is that it aids
interop
