In the example, would the user have to grant TwitPic access to his account?
I would like to be able to assure TwitPic about the user's identity without
the user having to grant TwitPic any read or read/write access to his
Why does the delegator need to send the service provider x_request_method,
x_request_url, x_request_parameters, and x_request_authorization? For
example, why does Twitter need to know what the user is doing with TwitPic?
It seems like an unnecessary disclosure of information that should stay
between the consumer and the delegator. The end-user might want to
authenticate using his Twitter credentials without telling Twitter what he's
Instead, the consumer should just sign <some
constant>||timestamp||nonce||expiration_date with their Twitter access
token/secret, since that's all Twitter needs to verify the end-user's
possession of the Twitter access token. The delegator should be responsible
for securing its own service (e.g. against replay).
In particular, the delegator should be able to use this service, even if the
delegator doesn't otherwise use OAuth for protecting its own resources, and
even if the consumer isn't communicating with the delegator over HTTP (think
WebSockets, SPDY, etc.).
Raffi Krikorian wrote: