tags:

views:

73

answers:

0

I'm wondering what the reasons are for OAuth to require a round-trip to the data provider to exchange an authorized request token for an access token.

My understanding of the OAuth workflow is:

  1. Requesting site (consumer) gets a request token from the data provider site (service provider).

  2. Requesting site asks the data provider site to authenticate the user, passing in a callback.

  3. Once the user has been authenticated and authorized the requesting site, the user is directed back to the requesting site (consumer) via the callback provided which passes back the now-authorized request token and a verification code.

  4. The requesting site exchanges the request token for an access token.

  5. The requesting site uses the access token to get data from the data provider site.

Assuming I got that right, why couldn't the callback simply provide the access token to the requesting site directly in step 3, eliminating step 4? Why is the request to exchange the request token for the access token necessary? Does it exist solely for consumers that require users to enter the verification code manually, with the thought that it would be shorter and simpler than the access token itself?