There are potentially three names for access tokens in this spec: - token - access_token - oauth_token
You hit the /oauth/access_token endpoint, and get back access_token=blah. Then you take that string and pass it to the protected resource as oauth_token=blah. Developers that have prototyped things over here have found this to be confusing. It's simpler to just take the same named param everywhere. I vote that one of two things happen: 1/ Return oauth_token from the access token endpoint. 2/ Accept access_token on the protected resource endpoint. 3/ Return "token" (and still "refresh_token") from the access_token endpoint, and accept "token" on the protected resource. I know there will be infinite debate about the right way to do this, but just wanted some thoughts for now. I will probably choose #2 as that seems most explicit, even though it's a few more characters. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
