On Mon, May 9, 2011 at 7:11 PM, Peter Wolanin wrote:
> What about using the cookie header?
>
> We have a sha1-HMAC authentication scheme where we are passing the
> HMAC, nonce, timestamp as parts of the cookie header since scripting
> languages that cannot access arbitrary headers still usually ca
discuss that.
EHL
> -Original Message-
> From: Justin Richer [mailto:jric...@mitre.org]
> Sent: Tuesday, May 10, 2011 7:40 AM
> To: Peter Wolanin
> Cc: Eran Hammer-Lahav; Ben Adida; OAuth WG; Adam Barth
> (a...@adambarth.com)
> Subject: Re: [OAUTH-WG] HTTP MAC Authentic
But that's so much work. :-P
The ease of using a throwaway signed URL as a self-contained information
unit shouldn't be ignored. It requires exactly zero client-side code and
can survive all kinds of HTML repackaging and transit easily.
-- Justin
On Mon, 2011-05-09 at 22:11 -0400, Peter Wolanin
What about using the cookie header?
We have a sha1-HMAC authentication scheme where we are passing the
HMAC, nonce, timestamp as parts of the cookie header since scripting
languages that cannot access arbitrary headers still usually can
access this header.
-Peter
On Mon, May 9, 2011 at 3:34 PM,
I would still like to see a binding of this to use query or form
parameters. I have a direct use case for handing out signed URLs to the
client, for which we're using the OAuth 1.0 signing mechanism without
tokens today. I'd love to switch to something that we could bind to
OAuth2, but the rest
