In section 6 of the OAuth spec (either 1.0 or 1.0a versions -- they're the same here), I see the following:
Request Token:Used by the Consumer to ask the User to authorize access to the Protected Resources. The User-authorized Request Token is exchanged for an Access Token, MUST only be used once, and MUST NOT be used for any other purpose. It is RECOMMENDED that Request Tokens have a limited lifetime. I'm wondering what this "MUST only be used once" is intended to limit. Is it sufficiently compliant to say that the SP will only ever give out the Access Token for a given request token once? Or does it mean that a desktop consumer app cannot keep polling the server with its request token until it finally gets an access token when the user finishes authorizing the request token? -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
