hi nicholas, as far as i am aware:
>>What happens if I have a request_token that has already been authorized but not the access_token ? an authorised request token must be swapped for an access_token to finalise the oauth negotiation. the authorised request token should be deleted/invalidated in the exchange process so that it can never be used twice. >>Should the consumer redirect to the authorization url and return without any user interaction to the callback with a verifier? it is recommended that a request token should have a very short timeout for security purposes, so the whole process should start again. >> Should I store permanently the access_token data and base everything on expiration ? you can either persist the access_token permanently or set a timeout period for it. i personally like the idea of long timeout periods, which bridge the gap between the problems of it being a pain for the user to keep reauthenticing and having permanent authentication without occasional user authorisation. >> What if it's a desktop app without a callback url ? i'm not entirely sure about this one although the spec says that if you don't have a callback url it should be : " set to "oob" (case sensitive), to indicate an out-of-band configuration. " >>Should I store permanently the access_token data and base everything on expiration ? how do you mean base 'everything' on expiration? as mentioned the access token can be permanent or have a timeout period set. hope the above is of some help! best, rob ganly On Sat, Jan 23, 2010 at 2:38 AM, Nicholas Wieland < [email protected]> wrote: > I hope someone can clarify something inside OAuth that is not entirely > clear (for me). > What happens if I have a request_token that has already been authorized but > not the access_token ? Should the consumer redirect to the authorization url > and return without any user interaction to the callback with a verifier ? > What if it's a desktop app without a callback url ? Should I store > permanently the access_token data and base everything on expiration ? > > ngw > > -- > You received this message because you are subscribed to the Google Groups > "OAuth" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected] <oauth%[email protected]>. > For more options, visit this group at > http://groups.google.com/group/oauth?hl=en. > > -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
