On Thu, Mar 25, 2010 at 7:54 PM, Ethan Jewett <esjew...@gmail.com> wrote: > Possibly this is a silly question, but why not #2 and have the bearer > token method (over SSL of course) include the token secret? The > provider would always issue a token and a token secret. If the client > is not interested in signing methods, it can discard the token and > keep the token secret. This secret is never sent in the clear using a > signing method. I believe that this is the approach taken in OAuth > 1.0a and it seems like it should address this concern.
Well thought-out bearer tokens and well thought-out proof of possession tokens rarely look the same. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
