Skip to content

httpsig and short-lived bearer tokens as alternative to sharedSecret #98

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
michielbdejong merged 8 commits into from
Sep 3, 2024
Merged

httpsig and short-lived bearer tokens as alternative to sharedSecret #98

Changes from 1 commit
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
8ee7009
OAuth code as alternative to sharedSecret
michielbdejong Aug 26, 2024
11160b1
whitespace
michielbdejong Aug 26, 2024
edde0b9
typo
michielbdejong Aug 26, 2024
36a3e15
GNAP instead of OAuth 2.0 Authorization Code flow
michielbdejong Aug 27, 2024
82db97d
camel case
michielbdejong Aug 27, 2024
98d0186
simplify from GNAP to httpsig+bearer
michielbdejong Sep 3, 2024
17a5e25
clarify language
michielbdejong Sep 3, 2024
72349f1
`<OCM endpoint>/token`
michielbdejong Sep 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
<OCM endpoint>/token
  • Loading branch information
@michielbdejong
michielbdejong authored Sep 3, 2024
commit 72349f184f3aee5926b97c6c03ab48a42aeaee92
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ In response to a share creation, the receiving server MAY send back a [notificat
To access a share, the receiving server MAY use multiple ways, depending on the received payload and on the `protocol.name` property:

* If `protocol.name` = `multi`, the receiver MUST make a HTTP PROPFIND request to `protocol.webdav.uri` to access the remote share. If `protocol.webdav.sharedSecret` is not empty, the receiver MUST pass it as a `Authorization: bearer` header.
Otherwise, if `protocol.webdav.code` is not empty, the receiver SHOULD discover the sender's `tokenEndpoint` and make a signed POST request to it, to exchange
Otherwise, if `protocol.webdav.code` is not empty, the receiver SHOULD discover the sender's OCM endpoint and make a signed POST request to `<OCM endpoint>/token`, to exchange
the code for a short-lived bearer token,
and then use that bearer token to access the remote share.

Expand Down