I would like to leverage OAuth without having to hit a database to validate each request. In addition, I would like to avoid using public key's since the performance is slower and distribution of the public keys can be difficult. These requirements have led me to investigating the OAuth Session Extension. The problem I am facing is it appears that, like many APIs, the implementation is left up to the individuals (perhaps I am just missing something). I have seen forums suggesting that Yahoo has implemented something very similar to what I am looking for, but have not figured out all the pieces. Specifically I am looking for information on:
* Why does Yahoo embed the scopes inside the consumer id and not the access token? This would allow scopes to change per request. Are there problems with doing it this way? * How is the consumer id created (to include scopes)? * How is the access token formulated to include information on validating the signature? Thanks in advance, Rob --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---