I've been reading the OAuth 1.0a spec, specifically at the example/ walk-through provided starting at http://oauth.net/core/1.0a/#rfc.section.A.1
I don't quite understand why so many secret tokens are exchanged during the "conversation" in a HMAC-SHA1 signed situation. Specifically: 1) The consumer already has their public/secret token, which, in theory, should be sufficient for signing *any* request made against the provider. 2) In Appendix A.2. the consumer asks for a request token. The provider responds with an oauth_token and a oauth_token_secret. 3) The oauth_token_secret provided in A.2 is then used in the query string when the consumer asks for the access token (A.4). What is the purpose of the oauth_secret_token here? 4) The access-token request returns a response body that contains another oauth_token and oauth_token_secret. This 3rd secret token is then used in combination with the pre-existing secret consumer-token to access a resource. Why do 3 secret tokens need to participate in this conversation? Why is the secret token for the consumer not enough? What is that 2nd secret token used for (the one provided as a response when asking for the original request-token), and why is the 3rd combined with the consumers secret to sign resource-requests (instead of just the consumer secret)? regards, Matt -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
