There is really no need to tell the user you are storing them because it contains no information about them. The OAuth also tells the user what previliges they are authorizing your app to have.
And normally, users don't care what happens behind the scenes as long as it works. Sent from my DROID On Jan 4, 2010 1:55 AM, "M. Edward (Ed) Borasky" <zzn...@gmail.com> wrote: On Jan 3, 7:39 am, ryan alford <ryanalford...@gmail.com> wrote: > In the Desktop workflow, you don't have to enter the PIN every time. The > user is NOT required t... Yes ... but you should inform the user that you are storing these tokens on their behalf, and you should inform the user what privileges they have granted you application. In my case, it's not a big inconvenience for the user to go through the oAuth process every time the app runs, so I don't do it. And I think there are some things that aren't obvious about security and privacy when you just point your browser to the "allow/deny" decision page. My users tend not to believe in "magic" and tend to want to know what can possibly go wrong. ;-) I'm in the process of writing my own wrapper text for the oAuth process. Once that's done, I'll add the code to save the tokens.