Here are two related extensions to OAuth. These extensions can improve security in situations where a Consumer has a trusted part that's shared by all users, and a less trusted part for each User, and the less trusted part sends requests for access to protected resources directly to the Service Provider.
To discuss these extensions, please use the Accessor Secret thread in the Google Group OAuth Extensions.
Extension: Accessor Secret
When signing a request for access to a Protected Resource, an Accessor Secret MUST be used instead of the Consumer Secret. This is a new secret, not the Access Token Secret and not the Consumer Secret. Like the Consumer Secret, it's established as part of the agreement between Consumer and Service Provider.
The Accessor Secret MAY be empty, or MAY be the same as the Consumer Secret.
To interoperate with an OAuth participant that doesn't support this extension, establish an Accessor Secret that's the same as the Consumer Secret.
Extension: Dynamic Accessor Secret
The Consumer MAY choose a separate Accessor Secret for each Access Token. It sends the chosen secret as a parameter named oauth_accessor_secret, in the request to obtain a Request Token (OAuth section 6.1.1).
If this parameter is absent, the Service Provider will use the established Accessor Secret. (That's the Consumer Secret, for a Service Provider that doesn't support the Accessor Secret Extension.)
Comments (0)
You don't have permission to comment on this page.