On Sat, Apr 25, 2009 at 1:35 PM, Josh Roesslein <jroessl...@gmail.com> wrote: > Plus we can require that you only get once try to swap the callback for an > access token. After that it is invalidated and no longer useful.
You can't actually do that in the flow you proposed. In order to limit the number of attempts you need some way to identify the client making the request, and your flow doesn't provide any way to do that reliably. (IP address is not sufficient, and not viable at all at scale.) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---