Hi all,
I have a working implementation of an OAUTH 2.0 Authentication solution using the standard HMAC shared key mechanism. A new requirement has been added: The servers issuing the tokens are secure, but some of the servers which will "trust" issued tokens are considered "semi secure", and should not have access to the shared secret which is used to issue the token.
What I've come up with so far is to tweak the algorithm to use asymmetric keys- the issuer would sign with a private key and the trusting servers would validate using the public key.
Has this been done before? Does it sound feasible?