Using Bearer tokens with refresh tokens is a valid use case for
server-to-server and has the same nice properties that is does for users, in
that it applies a single control point for revoking access. Using Bearer
tokens has very different security properties than OAuth 1.0a and you should
carefully consider this. Look at the proof-of-posession work rather than
simple Bearer tokens.
On Thursday, July 2, 2015 9:10 AM, Lisa Li1 <lisa_...@symantec.com> wrote:
<!--#yiv0512297667 _filtered #yiv0512297667 {font-family:Helvetica;panose-1:2
11 6 4 2 2 2 2 2 4;} _filtered #yiv0512297667 {font-family:SimSun;panose-1:2 1
6 0 3 1 1 1 1 1;} _filtered #yiv0512297667 {font-family:SimSun;panose-1:2 1 6 0
3 1 1 1 1 1;} _filtered #yiv0512297667 {font-family:Calibri;panose-1:2 15 5 2 2
2 4 3 2 4;} _filtered #yiv0512297667 {font-family:Tahoma;panose-1:2 11 6 4 3 5
4 4 2 4;} _filtered #yiv0512297667 {panose-1:2 1 6 0 3 1 1 1 1
1;}#yiv0512297667 #yiv0512297667 p.yiv0512297667MsoNormal, #yiv0512297667
li.yiv0512297667MsoNormal, #yiv0512297667 div.yiv0512297667MsoNormal
{margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:"Calibri",
"sans-serif";}#yiv0512297667 a:link, #yiv0512297667
span.yiv0512297667MsoHyperlink
{color:blue;text-decoration:underline;}#yiv0512297667 a:visited, #yiv0512297667
span.yiv0512297667MsoHyperlinkFollowed
{color:purple;text-decoration:underline;}#yiv0512297667
p.yiv0512297667MsoAcetate, #yiv0512297667 li.yiv0512297667MsoAcetate,
#yiv0512297667 div.yiv0512297667MsoAcetate
{margin:0in;margin-bottom:.0001pt;font-size:8.0pt;font-family:"Tahoma",
"sans-serif";}#yiv0512297667 span.yiv0512297667EmailStyle17
{font-family:"Calibri", "sans-serif";color:windowtext;}#yiv0512297667
span.yiv0512297667BalloonTextChar {font-family:"Tahoma",
"sans-serif";}#yiv0512297667 .yiv0512297667MsoChpDefault
{font-family:"Calibri", "sans-serif";} _filtered #yiv0512297667 {margin:1.0in
1.0in 1.0in 1.0in;}#yiv0512297667 div.yiv0512297667WordSection1 {}-->Hi All
This is Lisa. Our project is adopting OAuth 2 as authentication specification.
For the client-server communication, OAuth token works fine. But we have some
cases of server to server communication, usually it will be multiple tasks
running in parallel or sequence or even in multiple threads. In this case, we
are not sure we should reuse the access token grant by end user or create
another token? Moreover, if token is expired in 30 min, we are able to do
refresh but may meet some issue on the token consistency between each task,
thus it might be refreshed again and again… But with OAuth 1.0, since it will
not expired and we don’t have to do refresh, it will work fine. So for OAuth
2.0, what’s your consideration for server to server communication scenario? Or
do you have any suggestion here? Thanks. Lisa LiPrincipal Software
EngineerSymantec Corporation Office: (010) 6272 5127 / Mobile: 189 1057
2219lisa_...@symantec.com This message (including any attachments) is
intended only for the use of the individual or entity to which it is addressed
and may contain information that is non-public, proprietary, privileged,
confidential, and exempt from disclosure under applicable law or may constitute
as attorney work product. If you are not the intended recipient, you are hereby
notified that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this communication
in error, notify us immediately by telephone and (i) destroy this message if a
facsimile or (ii) delete this message immediately if this is an electronic
communication.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
