On Mon, May 10, 2010 at 5:31 PM, Manger, James H <[email protected]> wrote: > Yaron, > > > >> I don’t understand the scenario that requires this feature. When does >> someone ask for a token without knowing where it is going? > > > > Example: > > A client app gets a token to make an API call to a protected resource that > returns an Atom feed. > > The feed contains lots of entries, with links to photos, style sheets, and > scripts. > > The client app gets the photos. > > > > Should it send the token when getting the photos?
I would say definitely not. If the client gets back a 403 with discovery info that points to the same authz server and approved scopes, only then could the client re-try with a token. Would that work? Marius _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
