I had a question on OAuth version 1.0a that I’m hoping you could help me find an answer to:
It looks like to me that in the spec there is no requirement for some affinity between the Consumer Key/Consumer Secret, and the Access token. So here’s the scenario: for some services, Consumer may choose to store/cache the Access Token for a duration of time which sometimes can be infinite (for instance if user gives consent for Service X to access his/her Netflix queue, Service X does not want to keep asking user to give consent every time, so will store the Access token and uses it any time user comes back till it expires which in some cases doesn’t) Now let’s say a hard drive containing all these tokens is stolen, etc. And I get a hold of it. What prevents me from becoming a partner with Netflix and use Service X's stored Access tokens with my own Consumer Key and Secret to read users’ protected data? In other words it seems to me that the identity of the consumer is not required to be tied to Access Tokens explicitly in the spec, is that the case? (I guess another example is what if service provider wants to revoke all access keys issued to a specific consumer) Is this something that is considered out of scope? Thanks in advance! -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.