On Wed, Aug 4, 2010 at 8:45 AM, Oleg Gryb <oleg_g...@yahoo.com> wrote: > thirdparty.com never gets the access token in the scenario that Brian has > described, becuase fragment that was sent by a service provider in Location > header is not going to travel to the thirdparty.com server.
This is not quite true. thirdparty.com has a client-side and a server-side component. The thirdparty.com client-side component gets the access token and can use it immediately. The client-side component can then pass it up to the server-side component, if the token is useful there. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
