Encapsulated Tokens
208 views
Skip to first unread message
Antonio Sanso
Nov 27, 2012, 1:15:34 PM11/27/12
to oz-pr...@googlegroups.com
Hi Eran,
will Oz deal with Encapsulated Tokens?
In your last talk you mentioned them.
I was indeed wondering if all that crypto machinery e.g. "encrypt than MAC" is needed for MAC token (without https) or also for Bearer Token with https.
Regards
Antonio
will Oz deal with Encapsulated Tokens?
In your last talk you mentioned them.
I was indeed wondering if all that crypto machinery e.g. "encrypt than MAC" is needed for MAC token (without https) or also for Bearer Token with https.
Regards
Antonio
Eran Hammer
Nov 29, 2012, 3:01:33 AM11/29/12
to Antonio Sanso, oz-pr...@googlegroups.com
Tokens is an OAuth term. Oz uses encapsulated “tokens” – called tickets. You can see how they are created and parsed in tickets.js.
Bearer tokens are an OAuth concept that is not supported in Oz. Also, MAC tokens never really made it out of the OAuth working group. I did create a replacement for those looking for OAuth 1.0 style authentication (2-legged) called Hawk this weekend:
https://github.com/hueniverse/hawk
EH
--
Antonio Sanso
Dec 12, 2012, 1:12:52 PM12/12/12
to Eran Hammer, oz-pr...@googlegroups.com
Thanks a lot for your answer Eran.
Hawk looks good.
Comparing the security consideration of the tickets though it seems that only integrity is provided (using a MAC algorithm).
In that talk I was pointing out before, I have seen you instead hinting toward an authentication encryption solution (encrypt than mac) that would also provide confidentiality.
Am I wrong?
Regards
Antonio
Hawk looks good.
Comparing the security consideration of the tickets though it seems that only integrity is provided (using a MAC algorithm).
In that talk I was pointing out before, I have seen you instead hinting toward an authentication encryption solution (encrypt than mac) that would also provide confidentiality.
Am I wrong?
Regards
Antonio
Reply all
Reply to author
Forward
0 new messages