I had a question on OAuth version 1.0a that I’m hoping you could help
me find an answer to:

It looks like to me that in the spec there is no requirement for some
affinity between the Consumer Key/Consumer Secret, and the Access
token.

So here’s the scenario: for some services, Consumer may choose to
store/cache the Access Token for a duration of time which sometimes
can be infinite (for instance if user gives consent for Service X to
access his/her Netflix queue, Service X does not want to keep asking
user to give consent every time, so will store the Access token and
uses it any time user comes back till it expires which in some cases
doesn’t)

Now let’s say a hard drive containing all these tokens is stolen, etc.
And I get a hold of it. What prevents me from becoming a partner with
Netflix and use Service X's stored Access tokens with my own Consumer
Key and Secret to read users’ protected data? In other words it seems
to me that the identity of the consumer is not required to be tied to
Access Tokens explicitly in the spec, is that the case?

(I guess another example is what if service provider wants to revoke
all access keys issued to a specific consumer)

Is this something that is considered out of scope?


Thanks in advance!

-- 
You received this message because you are subscribed to the Google Groups 
"OAuth" group.
To post to this group, send email to oa...@googlegroups.com.
To unsubscribe from this group, send email to 
oauth+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/oauth?hl=en.

Reply via email to