You need to be more specific about what is confusing you. V2-16 7.1 is just an example. For using MAC you need to refer to the MAC spec.
How you generate your access token string is an internal detail but your use of the authorization code in the algorithm is odd, IMO. The MAC is calculated based on the normalized string as defined in the MAC spec (and it does not include the access token). If you want help, you need to give a real example for the wire requests and responses. EHL From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of denadai2 Sent: Saturday, May 21, 2011 11:16 AM To: oauth@ietf.org Subject: [OAUTH-WG] OAuth 2.0-16 + mactoken draft 6. I don't undestand I'm trying to formal verify the OAuth 2.0 draft 16 protocol. I want to try OAuth 2.0 with hmac token type (). In the "Authorization Code" mode i have the response token as this: - access_token: [access_token] - token_type: mac - mac_key: buabuabua - mac_algorithm: hmac-sha-256 The access_token is calculated with hmac(client_id || authorization_code, secret). right? Now there is my problem. I want to access to a resource controlled by a resource owner. Do i need to do this GET /resource/1 HTTP/1.1 Host: example.com<http://example.com> Authorization: MAC id = [access_token provided in the first pass] nonce = "274312:dj83hs92" mac = "ASDDFGDFGDG" with mac calculated with hmac(nonce || GET || url || host || access_token, secret) ? I don't undestand. There is too much confusion from this: http://tools.ietf.org/html/draft-ietf-oauth-v2-16#section-7.1 and this http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-00#section-1.2
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth