Great discussion! If I'm correct we'd be OK if, during the authorization step, SP could get a confirmation that the user whom has just authenticated is the same than the one that triggered the 1st step at the Consumer (request token retrieval).
How about something like: - Since in the std 3-legged scenario, the user logs in before the request for the request token is performed, the Consumer could maintain a mapping between the user's ID and the request token. - We could then add a "confirmation step" just after the authorization one (before redirecting to the callback URL) where the SP redirects the UA (along with the request token) to the Consumer so that the latter can verify the mapping. If the user has an existing authenticated session (at the Consumer) then this can be transparent. If not the user authenticates. In both case the Consumer can then check that the current user corresponds to the one in its mapping table. I realize it requires an extra step but, lacking identity federation, that's the only thing I can think of... HTH Hubert --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---