[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OAUTH-WG] RSA signing and web delegation

From: John Panzer <jpanzer at google.com>
To: Brian Eaton <beaton at google.com>
Cc: oauth at ietf.org
Date: Thu, 5 Nov 2009 21:52:38 -0800
In-reply-to: <daf5b9570911051731q5a7602e7l45afa598582dfa78 at mail.gmail.com>
References: <daf5b9570911051731q5a7602e7l45afa598582dfa78 at mail.gmail.com>

What about 2 legged OAuth?

On Thursday, November 5, 2009, Brian Eaton <beaton at google.com> wrote:
> I spent a bit of time today wondering how to integrate RSA signing in
> OAuth (which has obvious key distribution advantages) with requests
> that only send access tokens (which has obvious usability advantages).
>
> The only way I can think of to resolve these conflicts goes like this:
>
> 1) Initial requests for user approval (using the web delegation flow)
> are signed using RSA.
>
> 2) Data requests are either not signed, or are signed only with the
> token secret using HMAC.
>
> 3) Requests to renew access tokens (if we adopt something like the
> scalable OAuth extension) are again signed using RSA.
>
> Thoughts?
>
> Cheers,
> Brian
> _______________________________________________
> OAuth mailing list
> OAuth at ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
--
John Panzer / Google
jpanzer at google.com / abstractioneer.org / @jpanzer

Follow-Ups:
- Re: [OAUTH-WG] RSA signing and web delegation
  - From: Eran Hammer-Lahav

References:
- [OAUTH-WG] RSA signing and web delegation
  - From: Brian Eaton

Prev by Date: Re: [OAUTH-WG] RSA signing and web delegation
Next by Date: Re: [OAUTH-WG] RSA signing and web delegation
Previous by thread: Re: [OAUTH-WG] RSA signing and web delegation
Next by thread: Re: [OAUTH-WG] RSA signing and web delegation
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.