On Thu, Apr 8, 2010 at 7:08 AM, George Fletcher <[email protected]> wrote: > I realize that these sorts of use cases are trivial if establishment of the > SSO session switches from a signed mechanism to the OAuth WRAP bearer token > model. The one nice feature of the signed URL is that it is one time use > where the bearer token can be replayed multiple times.
Yep, Google does this kind of thing too. Is there something that stops you from declaring that a particular token is single use? 1) Client makes call to Authorization server, passing in either the refresh token or an access token (depending on the security model you want.) 2) AS returns a token. 3) Client uses the token to pop open a web browser. Cheers, Brian _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
