OAuth doesn't tell a consumer who the user is. I mean, it doesn't authenticate the user to the consumer. The service provider may associate access tokens with an authenticated user, but a consumer can't get this information via OAuth alone. I've heard that people are working to combine OAuth and OpenID, to create a system for both authentication and authorization. You might find that useful. Sorry I don't know more.
An OAuth service provider can 'remind' a consumer of a previous access token by simply returning that token again, in response to the consumer's request for an access token. The service provider need not ask the user to confirm authorization. That is, it can skip the 'allow' screen, if it knows (from a previous interaction) that the user has already authorized the consumer. Of course, this requires the service provider to maintain a database of authorized consumers for each user. Netflix does this. By the way, the service provider need not ask the user to authenticate, if it can recognize the user quietly. For example, the user's browser could send a cookie that identifies the user (reliably enough to satisfy the service provider). --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
