In theory, a service provider could handle a change of consumer credentials, and continue to accept access tokens that it issued to that consumer previously. But that seems dangerous. If the consumer credentials were revealed to an attacker, it seems likely that access tokens and secrets were also revealed.
I assume we're talking about http://oauth.googlecode.com/svn/spec/ext/consumer_request/1.0/drafts/2/spec.html or something similar. On Jan 30, 3:32 pm, John Joseph Bachir <[email protected]> wrote: > Second, here is what 2-legged OAuth is missing from "the spirit of OAuth": In > three-legged OAuth, the user can revoke the third-party's access to their > resources at any time, if they stop trusting the third-party. In two-legged > OAuth, if the service fears that they credentials have been compromised, > they can change them, but -- if I'm not mistaken -- this results in all of > the user tokens being invalidated as well, even though the compromised > service creds wouldn't necessarily have results in access to the user creds > or resources. In other words: users revoking their OAuth keys for a service > does not have annoying side-effects, but a service changing its credentials > DOES. -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
