We're not communicating clearly, I fear. Let's use the terms from the OAuth Core 1.0 specification section 6 http://oauth.net/core/1.0/#anchor9
There are two tokens: a request token and an access token. The service provider chooses the tokens. They may be different. The service provider may pack data into the tokens, but this isn't specified by OAuth. There are three steps: 1. The Consumer obtains an unauthorized Request Token. 2. The User authorizes the Request Token. 3. The Consumer exchanges the Request Token for an Access Token. Step 2 doesn't produce a new token. It changes state in the service provider, so the service provider associates authority (permission) with the request token. On Jan 31, 3:07 pm, "Krishna Sankar (ksankar)" <[email protected]> wrote: > I thought they *need not* be the same - because a service > provider could conceivably encode some opaque values in the > tokens and those might be different in the unauthorized & > authorized requestTokens. I am actually planning on these > two being different. Does the spec specify that these two > tokens should be the same ? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
