On Tue, May 11, 2010 at 2:16 PM, Paul Lindner <plind...@linkedin.com> wrote: > +beaton (for domain member question) > I'll add some docs to the committed code. expiresAt is informational, > isExpired() is canonical and convenient enough that I'm betting that most > implementers will use it, and it can encompass things like a CRL, blacklist, > etc. depending on the implementation.
I don't understand the need for isExpired and friends... why not just enforce expiration checks in the security token decoding process? A security token arrives, is validated, and is used for a few seconds (the duration of one user request). > I don't think that ContainerConfig calls can be spoofed when you're using > BlobCrypter which guarantees against tampering. I am concerned that there > are a number of pieces of code that iterate through all containers, this > works for small numbers of containers, but not large populations (where a > container == a third party site). So long as you get the container from the security token and not a URL parameter, I think it's solid. But I don't understand what you're doing with OAuth 2 and shindig. Is there a design doc or a road map?