New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trade in shared secret for an OAuth-grade refresh/access token? #81
Comments
See also #80 |
So we would remove Lines 465 to 469 in b45c7a0
And then instead the flows would be something like this:
|
I'm not sure if we should push for this without a proactive ask for it from vendors. Will close it until someone asks for this option to be added. |
This is a blocker for oCIS. I'll try to clarify our requirements next week. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We could benefit from OAuth best practices if we frame OCM as a pro-active flavour of OAuth.
The resource owner pro-actively gives the client access and sends them a shared secret via OCM.
After that, the current practice is that the client would then use this secret as-is to access the resource API (WebDAV or otherwise).
It might be better if we use the OAuth framework to make sure this client secret is not included in each network request.
The text was updated successfully, but these errors were encountered: