Ok got it. This explains more. So when I call authenticate (rather than authorize) I get back the original oauth_token I was given in authorize. The thing I'm not getting is how is this authenticated? Anybody could find this token somewhere and then just become the user in question right?
On Apr 16, 5:32 pm, Matt Sanford <[email protected]> wrote: > Hi there, > > I recommend calling verify_credentials with your new token to > verify the user in question. The screen_name was added as a > convenience method because there were a great many complaints about > have to do yet another round trip for the screen_name. > > Thanks; > — Matt Sanford > > On Apr 16, 2009, at 02:11 PM, djMax wrote: > > > > > Sorry if this is a noob question, but how can we verify the > > screen_name of an OAuth token? It would seem that having it only out > > of band as a query arg means it's subject to spoofing right? Not sure > > how I build secure site login with the core identifier may not match > > the token I'm given.
