On 13.10.2015 07:37, Ofer Nave wrote: >> You do have decisions to make on whether you use symmetric crypto or PK > there. > > That's another thing I was pondering -- simple shared secret, or require > generated a private/public key pair. > > The asymetric form is a little more complicated in terms of the user > experience. Is there a practical reason to prefer it?
If the AS and the Resource Servers (RS) share a secret, there is a risk of an RS impersonating authorised clients by creating valid tokens to access other RSs. You may prevent this by making sure every RS gets its own secret, but in that case you cannot issue tokens with multiple RS audiences. With asymmetric keys you won't have these problems. The RS would only need to have a copy of the public AS key to verify the tokens. Vladimir -- Vladimir Dzhuvinov _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth