On Tue, Apr 20, 2010 at 12:57 PM, Torsten Lodderstedt <tors...@lodderstedt.net> wrote: > As a major advantage the authorization server can be stateless with respect > to authorization transaction data because there is no need to hold such data > until the client obtains the tokens from the authorization server (callback, > client, verification code, identity and so on). This simplifies the > cluster/loadbalancing/fail-over architecture of the authorization server.
If making the authz server stateless is the major goal, you can probably achieve that by encoding and encrypting all relevant data in the verification code and set a short lifetime on it. Would that work? > Moreover, the load on the authz server should be reduced and the client > saves the roundtrip time of the second call. This is even more important if > clients extensively use the new "immediate" parameter to implement a SSO > alike behavior and use this flow very often. True, there is a small gain here, but on the other hand you don't have do deal with crypto. Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
