Hi Simone, 1) Yes in my experience you should be storing, on the SP side the link between request token and consumer at the time when the request token is generated.
2) this is up to you, all you're generating is a key to give access to "some resource" how that key is secured, and if it gives only partial access to the system should be dependant on what makes sense in your application. A lot of services have a way of registering which resources the consumer will need when registering for a consumer token. Google OAuth has ways of specifying which "Systems" you want to have access to. 3) the SP needs to store as much information as is needed to create an access token that gives access to the correct user so either you pre-generate the access token and attach that to the user and the request token or you attach the user to the request token and generate an access token later (when the call to swap the request token for the access token is received). These implementation details are left to you as there's no way of telling you how your system could/should work. All you need to make sure is that when I, as a consumer, swap my request token for an access token I am given an access token that allows permission to get at the resources the user allowed me access to. Cheers Owen 2009/5/4 Simone <[email protected]> > > Hi, I'm new in this group. I'm studing the OAuth protocol and there > are some questions that I would make you in order to verify if I've > well understood. I've read yet many post of this group about that > questions, but I want join all togheter. > > I know that the Core 1.0 leave at the Service Provider the freedom of > implement its role in the protocol, infact in the next questions I try > to understand what hypothetically should happen. > > 1) Service Provider side, what happens immediately after that the > Consumer makes a request for an unauthorized Request Token? The > Service Provider creates a local entry in its database where there is > the bind between the Request Token and the Consumer? Because in the > next step the Consumer redirects the User to login at the Service > Provider and the Service Provider shows at the User that there is a > specific Consumer that want access at the resources, but how knows > what is this specific Consumer? Then I suppose that the previous local > entry can be useful in this step, because the Service Provider can > search in its database the entry for the Request Token and find the > correspondent Consumer. It's correct or happens something else in this > step? > > 2) "By default", after the User is redirected by the Consumer to the > Service Provider, if the User authorize the Consumer then the User > grants the access at all its resources? "By default" in sense that, if > I don't wrong, the Service Provider can also implements a way for > grant a limited access, for example an only read access. > > 3) Service Provider side, what happens immediately after that the User > grant access at the Consumer? The Service Provider creates a local > entry in its database where there is the bind between the Request > Token and the User, or between the User and the Consumer? Because when > after the Consumer make a request for an Access Token, the Service > Provider needs to knows what is the User involved, or not? > > > Thanks to everybody :) > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
