On 1 February 2010 19:58, Onmyouji <apeze...@gmail.com> wrote: > It looks like to me that in the spec there is no requirement for some > affinity between the Consumer Key/Consumer Secret, and the Access > token. > > Is this something that is considered out of scope?
You're right, there's no spec-mandated affinity. However, server-side implementations should only allow requests that are made with an access token and the consumer key that was used to issue the access token. We didn't specify this because there are viable scenarios where you want access key portability. b. -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.