1. The valid value for secret_type in your case is hmac-sha256 2. It is not related to client_secret, it just instructs the authorization server if the response should contain access_token_secret or not.
This is my attempt to relate it to a real world scenario (no need to read :)) : A somewhat reasonable analogy might be authorization server writing a check to the client. If the authorization server wrote a valid check to the client and indicated that the check can be en-cashed only by depositing then it is not enough that the client (the bearer) just has a valid check but should also have an account (access_token_secret) to deposit to. If there is no access_token_secret then the check can be en-cashed by any bearer hence the bearer token. This flag secret_type tells to the authorization server to write a check with "for deposit only" on the back. (the only strangeness in this analogy here is that authorization server doesn't create an account for the client like it issues a access_token_secret, but don't go there). On May 23, 7:55 am, erich <erich.oliph...@gmail.com> wrote: > Hi, > I am working on java implementation of the web server flow for OAuth2.0. > I've made good progress so far, however there's something that's > confusing me in the spec (v05). In section 3.6.2 "Client Requests > Access Token" the 'client_secret' (per section 3.1) is required. My > understanding is that this equates to say a password for the client. > Then there's the optional 'secret_type' (as described by section > 5.3). I am not understanding 1) the valid value for 'secret_type' 2) > if it's related to the 'client_secret'. > > I've created code to make the HMAC-256 signed data called out in 5.3, > but the 5.3 stuff seems to be about attempting to access the resource > after you get the access token, i'm trying understand how it relates > to 3.6.2 where the client is making the initial request for the token. > > -- > You received this message because you are subscribed to the Google Groups > "OAuth" group. > To post to this group, send email to oa...@googlegroups.com. > To unsubscribe from this group, send email to > oauth+unsubscr...@googlegroups.com. > For more options, visit this group > athttp://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.