On Tue, May 11, 2010 at 5:37 PM, Manger, James H <[email protected]> wrote: > Marius, > >>> Should it send the token when getting the photos? > >> I would say definitely not. If the client gets back a 403 with >> discovery info that points to the same authz server and approved >> scopes, only then could the client re-try with a token. > >> Would that work? > > No. That would be totally insecure. > > Any site can return a 403 and list, say, Google as its authz server so any > site (good or bad) could get a client to reveal its Google token.
Good point. Thanks for clarifying all my questions. Marius _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
