Thanks! So OAuth is only concerned with the actual exchange of the authorization token and access token - not what's in them. Further: it's up to the OAuth vendor to decide how it should handle those tokens internally.
For instance: When an end user grants access to something, then this is registered internally in the application, and when a resource webservice receives the access token, it looks it up in the internal register to see what it is valid for? The specs say nothing about what the webservice should do with that token. Right? /Jørn On Sep 1, 7:58 am, John Kristian <jmkrist...@gmail.com> wrote: > It's vendor specific. -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.