On Fri, Oct 2, 2009 at 10:20 AM, Eran Hammer-Lahav <eran at hueniverse.com> wrote: > Why does this needs to be covered by OAuth? What prevents any server from issuing > a time-limited/restricted/single-use/etc URI using long token such as: > > http://example.com/resource/share/1k2j3h1oi823h123hk1j23ho182h31j2h3o182h3o12hi3o182h3o182h3 > > I just don't see any reason why this is lesser than producing a URI that uses OAuth parameters. > Whatever the server needs can be either encoded into this long token or maintained in a database. I'd bet that people will keep using the OAuth 1.0 URL signing scheme for this purpose. It works pretty well as-is. URL signing doesn't seem to apply to the core OAuth use cases around delegation and client-to-server authentication. Cheers, Brian
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.