[Openid-specs-ab] Magic Signature or JSON Token Signature?
Nat Sakimura
sakimura at gmail.com
Wed Jul 21 09:00:09 UTC 2010
In OAuth 2.0, IETF is starting to define JSON Token Signature.
It is very similar to Magic Signatures, but a bit different.
In Magic Signatures, the Signature itself is inside the JSON
structure. Simply put, it will look like
{
"data":"base64url encoded data without padding",
"alg":"RSA-SHA256",
"sigs": [
{ "value":"signature value",
"sighash":"key_and_exponent"
}
]
}
In JSON Token Signature, the signature is outside. Envelope parameters
like "alg" and other unencoded data is put into JSON and base64url
encoded.
Then, signature is taken and the two are concatenated with ".".
So, it looks like:
base64_url_encoded_data_with_envelope_parameters.signature_value
As of draft12, AB uses Magic Signature, but looking at what goes on at
OAuth2.0, I am debating if we should use JSON Token Signature instead.
Which do you prefer?
--
Nat Sakimura (=nat)
http://www.sakimura.org/en/
http://twitter.com/_nat_en
More information about the Openid-specs-ab
mailing list