Yes, this is possible, though to be secure it should really happen over
SSL which is less of a requirement for a signed request.
I guess the main question is whether we really need to remove the
signature related parameters from URL and only allow them in the
Authorization header. For signed requests, these use cases pretty much
require that the signature parameters be allowed in the URL.
Obviously, if we change our model to not use signed URLs then this issue
goes away:)
Thanks,
George
On 4/9/10 12:58 AM, Brian Eaton wrote:
On Thu, Apr 8, 2010 at 7:08 AM, George Fletcher<[email protected]> wrote:
I realize that these sorts of use cases are trivial if establishment of the
SSO session switches from a signed mechanism to the OAuth WRAP bearer token
model. The one nice feature of the signed URL is that it is one time use
where the bearer token can be replayed multiple times.
Yep, Google does this kind of thing too.
Is there something that stops you from declaring that a particular
token is single use?
1) Client makes call to Authorization server, passing in either the
refresh token or an access token (depending on the security model you
want.)
2) AS returns a token.
3) Client uses the token to pop open a web browser.
Cheers,
Brian
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
