Authorization may depend on the user, as well as the consumer. For example, suppose the service provider has data for each user, and each user may access his own data but not other users' data. So, a consumer acting on behalf of User X may access the data for X but not Y; a consumer acting on behalf of user Y may access the data for Y but not X. The service provider knows a request comes from X or Y because the consumer sends the corresponding access token, either a token associated with user X or a token associated with user Y.
On Nov 2, 6:31 am, Melvin Carvalho <[email protected]> wrote: > I guess my question is: if the Service Provider already knows the > Consumer is authorized to access a resource, why does it also need an > Access Token? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
