oauth token authentication

[saghar estehghari <s.estehghari () gmail com>]

Hi,

On a cloud project that i'm currently working, we authenticate the
clients by password and get access to their keys using their password
(using a PBKDF2 function).

However, we want to provide the user with another option which is
authenticating with an oath token. So the problem that I'm facing
right know is that if the user doesn't type a password then I can't
access his key. As the passwords are saved hash-salted in the DB. I
know that we can add some parameters to the token (e.g. adding the
encrypted password for accesing the key) , but it seems to me
insecure, as the tokens are vulnerable to replay attacks (and it
possible that expiration date would be long)!

So I was wondering whether any of you had faced the similar problem
and could help me with your ideas :)

Thanks for your time

Regards



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------