Marius, >> Should it send the token when getting the photos?
> I would say definitely not. If the client gets back a 403 with > discovery info that points to the same authz server and approved > scopes, only then could the client re-try with a token. > Would that work? No. That would be totally insecure. Any site can return a 403 and list, say, Google as its authz server so any site (good or bad) could get a client to reveal its Google token. -- James Manger _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
