I'm not sure I completely understand, but what resources (and how many) that you can access with an authorized token are outside the spec.
OAuth is a generic method for protecting resources; it's up to you to determine what, and for how long, you make those resources available. Chris On 1/30/09, Jorgito <jorge.fontenla.gonza...@gmail.com> wrote: > > Thank you both for your fast replies. > > Indeed, I was wrong when I said that the distinction between both > tokens would dramatically increase the response time. I misunderstood > the spec, as I thought that one pair Request Token -- Access Token > only granted access to one protected resource (namely, one URL). I see > that there are no limitations in that aspect, and a single pair of > tokens grants access to multiple protected resources. > > I'm not sure whether this is good or not. Maybe in some Web > applications it would be desirable a "finer grained" protocol that can > grant access to some specific (and no more) resources. For example, > instead of the canonical example of a photo hosting service I can > think about a site hosting medical records - extremely confidential > information. I mean, there is a BIG difference between allowing an > application acting as Consumer to know if I've had a flu recently, and > giving it free access to all the information concerning my health. > This "all or nothing" approach taken in OAuth may not fulfill the > requirements of some Web applications. > > And on the other, the problem of temporal states between tokens still > remains. I don't know how this issue would affect to the performance > of large-scale Web applications. In other words, does OAuth scale > well? > > Thanks a lot for your help, I really appreciate it (receiving a PhD is > easier with the help of a community ;-) ). Greetings, > > Jorgito > > > -- Chris Messina Citizen-Participant & Open Web Advocate-at-Large factoryjoe.com # diso-project.org citizenagency.com # vidoop.com This email is: [ ] bloggable [X] ask first [ ] private --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---