On Tue, Apr 28, 2009 at 9:42 AM, Dossy Shiobara <[email protected]> wrote: > > On 4/28/09 9:05 AM, Peter Keane wrote: >> That's exactly right: OAuth leverages the secrecy of the out-of-band >> agreement between consumer and SP. The request token is built upon >> that assumption, so it can safely be considered secret for the >> purposes of OAuth. > > If this is the founding principle of OAuth, then perhaps I'm wasting my > time. Perhaps I should instead formulate a specification for an open > authorization protocol that doesn't have this assumption. >
Dossy- It's only part of the equation though. The *whole* protocol does not rest on that. Only the part that allows the consumer to "authenticate" (as it were), with the SP -- essentially saying "yes, SP this is indeed the consumer that pre-registered with you". Mixing in the user is where things get tricky.... --peter > -- > Dossy Shiobara | [email protected] | http://dossy.org/ > Panoptic Computer Network | http://panoptic.com/ > "He realized the fastest way to change is to laugh at your own > folly -- then you can let go and quickly move on." (p. 70) > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
