In the example, would the user have to grant TwitPic access to his account? I would like to be able to assure TwitPic about the user's identity without the user having to grant TwitPic any read or read/write access to his account.
Why does the delegator need to send the service provider x_request_method, x_request_url, x_request_parameters, and x_request_authorization? For example, why does Twitter need to know what the user is doing with TwitPic? It seems like an unnecessary disclosure of information that should stay between the consumer and the delegator. The end-user might want to authenticate using his Twitter credentials without telling Twitter what he's doing. Instead, the consumer should just sign <some constant>||timestamp||nonce||expiration_date with their Twitter access token/secret, since that's all Twitter needs to verify the end-user's possession of the Twitter access token. The delegator should be responsible for securing its own service (e.g. against replay). In particular, the delegator should be able to use this service, even if the delegator doesn't otherwise use OAuth for protecting its own resources, and even if the consumer isn't communicating with the delegator over HTTP (think WebSockets, SPDY, etc.). Regards, Brian Raffi Krikorian wrote: <http://mehack.com/a-proposal-for-delegation-in-oauth-identity-v> http://mehack.com/a-proposal-for-delegation-in-oauth-identity-v