On Tue, Nov 3, 2009 at 2:32 AM, John Kristian <jmkrist...@gmail.com> wrote: > > Authorization may depend on the user, as well as the consumer. For > example, suppose the service provider has data for each user, and each > user may access his own data but not other users' data. So, a consumer > acting on behalf of User X may access the data for X but not Y; a > consumer acting on behalf of user Y may access the data for Y but not > X. The service provider knows a request comes from X or Y because the > consumer sends the corresponding access token, either a token > associated with user X or a token associated with user Y.
Thanks for the response. You're right that I did not specify that this was user specific. However, does the same argument not hold? ie the Service Provider knows the User, the Consumer and the Resource. If the consumer is able to identify itself, does this not leave the Access Token unnecessary? > > On Nov 2, 6:31 am, Melvin Carvalho <melvincarva...@gmail.com> wrote: >> I guess my question is: if the Service Provider already knows the >> Consumer is authorized to access a resource, why does it also need an >> Access Token? > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
