On 19/11/11 19:15, Pierre GIRAUD wrote:
My concerns now are to avoid the authorization multiplication ie. to prevent users from being asked several times for a permission they already gave.
Well just carry on using the same access token that you got the first time. You only get proliferation if you keep restarting the process by getting a new request token, authorising it, and then converting it to an access token.
Shouldn't there be a mechanism that verifies that the application has already been authorized?
Yes - your possession of the access token and it's secret is how you prove that you have been authorized. If you hang on to those and reuse them then we will continue to allow you access.
In this application [1] described here [2], once the user has authorized the application, he can log in again and again without being asked for permission unless he goes to the profile and revokes the authorization intentionaly. [1] http://facebook-auth.appspot.com/ [2] http://facebook-python-library.docs-library.appspot.com/facebook-python/examples/oauth.html
Facebook is not directly comparable because it doesn't use OAuth as far as I know. It uses the proprietary Facebook Connect protocol.
I don't know the details of how the Facebook protocol works, but it is certainly possible to do what you want with OAuth.
Tom -- Tom Hughes ([email protected]) http://compton.nu/ _______________________________________________ dev mailing list [email protected] http://lists.openstreetmap.org/listinfo/dev
