On 4/16/09 5:11 PM, djMax wrote:
Sorry if this is a noob question, but how can we verify the screen_name of an OAuth token? It would seem that having it only out of band as a query arg means it's subject to spoofing right? Not sure how I build secure site login with the core identifier may not match the token I'm given.
Right, that's why I keep saying that the callback URL needs to be signed ... so the consumer can protect against tampering of the request.
-- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70)