On Tue, Aug 3, 2010 at 12:44 PM, Yoav Nir <y...@checkpoint.com> wrote: > So if the browser works correctly (instead of what the python library does, > then thirdparty.com sees only "GET rpc_relay.html", while the javascript > also gets the "access_token=12345".
In the average case, thirdparty.com doesn't even see GET /rpc_relay.html. The page is cached in the browser. So the access_token has moved from serviceprovider.com to thirdparty.com, where javascript on thirdparty.com can use it. > What I'm not getting is why this matters. Is this supposed to be about > security? It can't be any good at that, because the javascript is coming > from thirdparty.com. If the good people at thirdparty.com want to know the > access token, they can make their javascript send it to them. So what is > the purpose of this funky use of HTTP? It is in large part a performance optimization. If you pass the token through a server, it adds hundreds of milliseconds to the request. If you pass the token entirely on the client, it is under a millisecond. > Is the access token a secret? From who? If you aren't sure about this, you don't want OAuth. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
