On 4/16/09 2:33 PM, Matt Sanford wrote:
The initial token required is a RequestToken rather than an
AccessToken. Making the request for the RequestToken requires you know
the consumer key/secret and (a) let's us know what application this is
for (callback_url alone would not) and (b) prevent the token-shooting
method you described.
I just tried out the oauth/authenticate - I supplied a RequestToken and
it redirected back to my callback URL with an AccessToken ... but,
what's the token secret for this AccessToken? I only know the secret
for the RequestToken I sent it ... Is the token secret the same for the
AccessToken I get back?
I'm going to assume so, although the OAuth spec. suggests that when
obtaining an AccessToken, both the oauth_token and oauth_token_secret
are returned, and I imagine it's desirable to have a different secret
for this different token, although obviously there's nothing that
prohibits reusing the same secret.
--
Dossy Shiobara | [email protected] | http://dossy.org/
Panoptic Computer Network | http://panoptic.com/
"He realized the fastest way to change is to laugh at your own
folly -- then you can let go and quickly move on." (p. 70)
