@@ -636,7 +636,7 @@ contain the following information about its OCM API:
636636 As implementations MUST accept Share Creation Notifications
637637 to be compliant, it is not necessary to expose that as a
638638 capability.
639- Example : ` ["receive-code ", "webdav-uri"]` . The array MAY
639+ Example : ` ["exchange-token ", "webdav-uri"]` . The array MAY
640640 include for instance :
641641 _ `"enforce-mfa"` - to indicate that this OCM Server can apply a
642642 Sending Server's MFA requirements for a Share on their behalf.
@@ -651,29 +651,29 @@ contain the following information about its OCM API:
651651 Invite Sender or Invite Receiver OCM Server. This might be useful
652652 for suggesting to a user that existing contacts might be upgraded
653653 to the more secure (and possibly required) invite flow.
654- _ `"receive-code"` - to indicate that this OCM Server can receive a
655- ` code` as part of a Share Creation Notification, and exchange it
656- for a bearer token at the Sending Server's tokenEndPoint.
654+ _ `"exchange-token"` - to indicate that this OCM Server exposes a
655+ [RFC6749]-compliant endpoint, which allows to exchange a secret
656+ received in the protocol properties of a Share Creation Notification
657+ for a short-lived bearer token.
657658 _ `"invite-wayf"` - to indicate that this OCM Server exposes a WAYF
658659 Page to facilitate the Invite flow.
659660* OPTIONAL: criteria (array of string) - The criteria for accepting a
660661 Share Creation Notification.
661662 As all Receiving Servers SHOULD require the use of TLS in API
662663 calls, it is not necessary to expose that as a criterium.
663- Example : ` ["http-request-signatures", "code" ]` . The array MAY
664- include for instance
664+ Example : ` ["http-request-signatures"]` . The array MAY include
665+ for instance :
665666 _ `"http-request-signatures"` - to indicate that API requests
666667 without http signatures will be rejected.
667- _ `"code "` - to indicate that API requests without code will be
668- rejected (i.e. the `sharedSecret` in the protocol details will be
669- ignored ).
668+ _ `"token-exchange "` - to indicate that API requests without
669+ token exchange will be rejected (see the [Code Flow](#code-flow)
670+ section ).
670671 _ `"denylist"` - some servers MAY be blocked based on their IP
671672 address
672673 _ `"allowlist"` - unknown servers MAY be blocked based on their IP
673674 address \* `"invite"` - an invite MUST have been exchanged between the
674675 sender and the receiver before a Share Creation Notification can be
675676 sent
676-
677677* OPTIONAL: publicKey (object) - The signatory used to sign outgoing
678678 request to confirm its origin.
679679 The signatory is optional, but if present, it MUST contain
@@ -697,7 +697,7 @@ contain the following information about its OCM API:
697697` /index.php/apps/sciencemesh/accept?token=zi5kooKu3ivohr9a&providerDomain=example.com` .
698698* OPTIONAL: tokenEndPoint (string) - URL of the token endpoint where
699699 the Sending Server can exchange a `code` for a bearer token.
700- Implementations that offer the `"receive-code "` capability MUST
700+ Implementations that offer the `"exchange-token "` capability MUST
701701 provide this URL as well.
702702 Example : ` "https://my-cloud-storage.org/ocm/token"` .
703703
@@ -770,9 +770,6 @@ To create a Share, the Sending Server SHOULD make a HTTP POST request
770770 The expiration time for the OCM share, in seconds
771771 of UTC time since Unix epoch. If omitted, it is assumed
772772 that the share does not expire.
773- * OPTIONAL code (string)
774- A nonce to be exchanged for a (potentially short-lived)
775- bearer token at the Sending Server's tokenEndPoint [RFC6749]
776773* REQUIRED protocol (object)
777774 JSON object with specific options for each protocol.
778775 The supported protocols are : - `webdav`, to access the data -
@@ -817,12 +814,10 @@ servers MAY only support `webdav`.
817814 SHOULD be relative, in which case the prefix
818815 exposed by the `/.well-known/ocm` endpoint MUST
819816 be used. Absolute URIs are deprecated.
820- - OPTIONAL sharedSecret (string) - REQUIRED if no `code` field is
821- given for the Share as a whole (see above). An
822- optional secret to be used to access the Resource,
823- such as a bearer token.
824- To prevent leaking it in logs it MUST NOT appear in
825- any URI.
817+ - REQUIRED sharedSecret (string)
818+ A secret to be used to access the Resource, such as
819+ a bearer token. To prevent leaking it in logs it
820+ MUST NOT appear in any URI.
826821 - OPTIONAL permissions (array of strings) -
827822 The permissions granted to the sharee. A subset
828823 of : - `read` allows read-only access including
@@ -831,13 +826,14 @@ servers MAY only support `webdav`.
831826 Resource.
832827 - OPTIONAL requirements (array of strings) -
833828 The requirements that the sharee MUST fulfill to
834- access the Resource. A subset of : - `mfa-enforced ` requires the
829+ access the Resource. A subset of : - `must-use-mfa ` requires the
835830 consumer to be MFA-authenticated. This MAY be used if the
836831 recipient provider exposes the `enforce-mfa`
837- capability. - `use-code` requires the consumer to exchange
838- the given `code` via a signed HTTPS request. This
839- MAY be used if the recipient provider exposes the
840- ` receive-code` capability.
832+ capability. - `must-exchange-token` requires the recipient to
833+ exchange the given `sharedSecret` via a signed HTTPS request
834+ to the Sending Server's {tokenEndPoint} [RFC6749].
835+ This MAY be used if the recipient provider exposes the
836+ ` exchange-token` capability.
841837* Protocol details for `webapp` MAY contain:
842838 - REQUIRED uri (string)
843839 A URI to a client-browsable view of the Shared
0 commit comments