You need to be more specific about what is confusing you. V2-16 7.1 is just an
example. For using MAC you need to refer to the MAC spec.
How you generate your access token string is an internal detail but your use of
the authorization code in the algorithm is odd, IMO.
The MAC is calculated
Ok thank you. I will be more specific:
1- Client - Authorization server. (via TLS)
I build the authorization request with response_type = code,
client_id, redirect_uri.
2- Authorization server - Client. (without TLS)
I grant access with an authorization code generated (for example) with
If you're planning to attend in person then you'll want to head to
1050 Page Mill Road in Palo Alto. There's a bunch of parking behind
the building so feel free to park anywhere in that lot. You'll then
want to head to the lobby of building 1 which is the largest; the
lobby is on the Page Mill
From: denadai2 denad...@gmail.commailto:denad...@gmail.com
Date: Sun, 22 May 2011 08:27:41 -0700
To: Eran Hammer-lahav e...@hueniverse.commailto:e...@hueniverse.com
Cc: oauth@ietf.orgmailto:oauth@ietf.org
oauth@ietf.orgmailto:oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth 2.0-16 + mactoken draft
I just read over the whole of the draft for the first time in a while.
I looked it over mostly for
a) places where spec and reality were going to have trouble intersecting
and
b) places where security advice would be useful
and
c) grammer and speling, because I notices things like that
As I said in the other note, after reading through the security
considerations section a couple of times, I think it could benefit
from a different organization. Specifically
- keep the introduction, it’s awesome.
- write new sections for each of the following
1) Authorization Tokens
2)
First, I'd like to add my support for Brian Eaton's comments on Draft 16.
They actually helped clarify the comment I have below
I found section 9 to be in contradiction to a part of section 6. In
particular in section 9:
Native applications SHOULD use the authorization code grant type
It would be great if you could do a similarly detailed read of the bearer token
spec as well!
-- Mike
Sent from my Windows Phone
-Original Message-
From: Brian Eaton
Sent: Sunday, May 22, 2011 8:39 PM
To: oauth@ietf.org
Subject: [OAUTH-WG] draft 16 review notes
I just read over the