The Consumer will always be in possession of the access token/secret. Regardless of how they're negotiated, they can still choose to manage them in a in secure fashion.
The Consumer responsibility and the need SP/user trust doesn't go away with a solution to this problem. Darren On Sat, May 9, 2009 at 12:15 AM, Manish Pandit <[email protected]> wrote: > > > > On May 8, 9:10 pm, Darren Bounds <[email protected]> wrote: >> I think was a little unclear in my statement regarding the Consumers' >> duties. Allow me to rephrase: >> >> As a consumer you need to do one of two things: >> >> 1) Mixed Binding - Ensure the user who initiated the dance is the one >> who completed it and then associate the access token/secret with that >> user. >> 2) Late Binding - Only rely on the identity of the user who completed >> the dance and associated the access token/secret with that user. >> >> What you've described is 'Early Binding' and generally a bad idea for >> the very reason called out. >> >> Darren >> >> >> > > Thanks, Darren. I am a provider, so I'd have to "trust" the consumer > to do the right thing in this case..I cannot think of anything else > either :( > > -cheers, > Manish > > > -- darren bounds [email protected] --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
