Dec 12, 2008, 12:17:04 PM12/12/08
Keith, you said
"It is EXACTLY the same precaution that you must take with passwords.
You can think of this token as a password because that is essentially
what it is (but it is for a very specific purpose so it is harder to
abuse). Any program that handles passwords today must take these
This is exactly why I want to use OpenID, I do not want to manage the
passwords for all my users and all DOD and all fire departments and
all red cross users...
From an provider perspective, as yourself, you will also need to
support users to come to your site and get authorization tokens that
can be exchanged for access tokens by the outside consumers. This may
have to be done asynchronously via email, SMS... or plain web forms.
Still, this is outside the scope of OAuth but still the responsibility
of the service provider such as yourself.