JWS?
126 views
Skip to first unread message
Bill Burke
Nov 5, 2012, 6:12:16 PM11/5/12
to oz-pr...@googlegroups.com
What about incorporating Json Web Signature (JWS) with a JSON payload for your OZ authorization headers? What I like about JWS is that its designed to by small and usable within headers or URI query params.
Eran Hammer
Nov 5, 2012, 6:35:45 PM11/5/12
to Bill Burke, oz-pr...@googlegroups.com
Unnecessary complexity.
EH
--
Bill Burke
Nov 6, 2012, 8:31:20 AM11/6/12
to oz-pr...@googlegroups.com, Bill Burke
Why is it too complex? JWS and JWE are really really simple and there's pretty much code support for them in most modern languages. They would give you a lot more flexibility than the name value approach you're taking now. Plus, down the road, if you decide to take a more OAuth 2 approach of using a lot more redirection URLs, they work in queyr params quite well.
IIRC, one of the drawbacks of OAuth 1 that I read was that developers often couldn't get the canonicalization and signatures right all the time. Either because of eroneous code, or, proxies might screw up headers when rewritten. Since JWS/JWE is really just a big Base64 encoded string, seems it might solve a lot of those issues.
IIRC, one of the drawbacks of OAuth 1 that I read was that developers often couldn't get the canonicalization and signatures right all the time. Either because of eroneous code, or, proxies might screw up headers when rewritten. Since JWS/JWE is really just a big Base64 encoded string, seems it might solve a lot of those issues.
Reply all
Reply to author
Forward
0 new messages