Reputation: 17682
Why does OAuth provide both an access token and an access token secret? Why not just a single value?
Why does OAuth include both an access token and an access token secret as two separate values? As a consumer or OAuth, all of the recommendations that I have seen indicate that I should store the token and secret together and essentially treat them as one value.
So why does the specification require two values in the first place?
Upvotes: 20
Views: 4247
Answers (2)
Reputation: 2572
There are 2 secrets, one is token secret and other is consumer secret. Secrets are used to sign the requests (to generate the oauth signature) but not transmitted in the request header where token is sent in the header to identify the client and verify if it has access.
Upvotes: 0
Reputation: 24474
Actually, the access token secret is never transmitted to the provider. Instead, requests transmit the access token, and then use the secret to sign the request. That is why you need both: one to identify, and one to secure
Upvotes: 22
Related Questions
- What's the purpose of the client secret in OAuth2?
- Why Does OAuth v2 Have Both Access and Refresh Tokens?
- oAuth2.0: Why need "authorization-code" and only then the token?
- Why does oauth protocol use two steps to retrieve access_token instead of doing it in just one?
- Why is OAuth designed to have request token and access token?
- What's so secret about the OAuth secret?
- Understanding the need of client id, client secret in oauth 2.0
- Why does an authorized OAuth 1.0 request token need to be exchanged for an access token?
- OAuth Spec: why do some implementations return an access_token + access_token_secret and others just an access token?
- How important is it to keep OAuth's access token secret?