On Tue, May 11, 2010 at 5:37 PM, Manger, James H <james.h.man...@team.telstra.com> wrote: > Marius, > >>> Should it send the token when getting the photos? > >> I would say definitely not. If the client gets back a 403 with >> discovery info that points to the same authz server and approved >> scopes, only then could the client re-try with a token. > >> Would that work? > > No. That would be totally insecure. > > Any site can return a 403 and list, say, Google as its authz server so any > site (good or bad) could get a client to reveal its Google token.
Good point. Thanks for clarifying all my questions. Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
