On Thu, Feb 19, 2009 at 5:48 PM, Simon Wistow <[email protected]> wrote: > > An user has walked an app through to getting the access token/secret and > has been using the app successfully then somehow loses them. > > What's the recommended practice here? > > - nuke the old pair and reauthenticate to issue a new pair? > - reauthenticate and hand out the old pair? > - keep the old pair but issue a new pair? > - force them to get a new API key?
I'm not sure that I understand the terminology correctly (what's the difference between the API key and the token/secret pair?) In any event, the "correct" behaviour in the event of an app losing an access token/secret is that that app should act as though it had never authenticated the user before. The service provider doesn't need to do anything special, and neither does the consumer app. As far as cleaning up unused tokens, that's probably the responsibility of the service provider, based on their policies. For example, it could be something like "tokens that haven't been used for successful authentication in six months will be deleted." The worst case is that an application would need to be re-authorized if the token were deleted. > As a related problem - what's the best practice in that case? Should > each instance of the app have a separate access token/secret or should > they share? Each instance should have a separate access token / secret. There may be situations where sharing makes sense, but I can't think of any. ;-) b. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
