On Mon, Jun 21, 2010 at 7:43 AM, Dick Hardt <dick.ha...@gmail.com> wrote: > Thanks for writing this up Dirk. > I would suggest that the token be: > payload "." envelope "." signature > This enables the payload to be encrypted and independent from the envelope. > Token signing, verification, encryption and decryption code can then be > generic and not understand the payload of the token.
I think you can still do that even if payload and envelope are combined. the signed json would become: { signer: <whoever-signed> encrypted_for: <intended-destination> encrypted_payload: <the-encrypted-payload> } _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth