I don't see how OAuth was designed for this. OAuth assumes that the consumer can keep a secret.
If the consumer can't keep a secret, then the service provider can't really authenticate the consumer, and should inform the user of this fact. The user must decide whether to trust the consumer without help from the service provider. Why not just assume that the consumer secret won't be secret? All copies of the consumer would use the same consumer key and secret (baked into the software). Seems like this would fit better into a service provider's system for identifying consumers and users. Security would revolve around the access token and token secret. Each user/consumer pair would have its own access token and token secret. The service provider would enable a user to revoke her access tokens, e.g. in case they're stolen. Users sharing a computer complicates things. Can other users of the computer access my credentials (and abuse them)? As a rule, I wouldn't like other users to be able to revoke my access: they might abuse the privilege. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
