Service Providers that allow the anonymous consumer key don't really have
a way to identify the application to the user, other than the domain of the
callback url. Unfortunately, due to open redirectors and other web
vulnerabilities, a malious website could hide their true identity behind a
Thanks for both answers!
Vinod: Can using certificates be replaced by SSL connection (isn't
OAuth WRAP about it?) or is it something different?
I would like to use this 'anonymous-consumer' approach in distributed
application so any of these app instances can use others services
without