tags:

views:

103

answers:

1
+1  Q: 

Why does OAuth provide both an access token and an access token secret? Why not just a single value?

Why does OAuth include both an access token and an access token secret as two separate values? As a consumer or OAuth, all of the recommendations that I have seen indicate that I should store the token and secret together and essentially treat them as one value.

So why does the specification require two values in the first place?

+3  A: 

Actually, the access token secret is never transmitted to the provider. Instead, requests transmit the access token, and then use the secret to sign the request. That is why you need both: one to identify, and one to secure

Joseph  2010-05-02 05:36:49

related questions

XSRF protection in an AJAX style app
Can OAuth be used to schedule Twitter status updates in the future?
2 legged oauth - looking for information
How to get Uri.EscapeDataString to comply with RFC 3986
OAuth - lexicographical byte value ordering in c#
OpenID authentication from an installed application
What is excatly the technology stack defining Web APIs?
Problem with Google Hybrid Protocol (OpenID + OAuth) Demo
How to integrate google's Step2 with acegi security in the Grails Framework?
OAuth alternative?
OAuth? ,OpenID? Neither? Which one should my site support?
Twitter oAuth callbackUrl - localhost development
Example of a good Webservice
Sorting by key and value in case keys are equal
What does the oauth guide mean by "8 bit array"?
Using OAuth for server-to-server authentication?
Getting 401 on Twitter OAuth POST requests
How do I develop against OAuth locally?
Can OAuth work with mobile phone applications?
Security of REST authentication schemes
How do you manage api keys
How can I verify a Google authentication API access token?
How do you debug an ASP.Net application accessing an OAuth secured API?
oAuth REST and C# What's the missing piece
PHP Tutorial for OpenId and OAuth