Richard, > This authentication has to happen during the delegation dance to make > sure that it's the real Consumer who gets the access token, and for > every access request to make sure that the real Consumer can't hand > off the access token to other consumers.
Is there really a requirement to make sure a Consumer can't hand off the access token? Of course, neither the Service nor the User can prevent the Consumer handing off the access token and Consumer credentials to another party. I am particularly interested as I believe request signing would be significantly improved if it only used the access token (and not the Consumer credentials). The Consumer is implied as they were authenticated when the access token was issued. James Manger [email protected] Identity and security team — Chief Technology Office — Telstra --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
