Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OAuth Request and Access Tokens

I want to implement oauth 1 in my website and I was just wondering if I have to change the request token once it was exchange to an access token?

Thanks in advance

like image 894
omg Avatar asked Jun 21 '11 02:06

omg


1 Answers

Request tokens are meant to be temporary and unique. After giving one out, you should forget all about it once either a) a few minutes have passed or b) it was used to request an access token. Allowing reuse of request tokens would open you up to http replay attacks.

Section 6 of the OAuth 1.0 spec spells this out:

Request Token: Used by the Consumer to ask the User to authorize access to the Protected Resources. The User-authorized Request Token is exchanged for an Access Token, MUST only be used once, and MUST NOT be used for any other purpose. It is RECOMMENDED that Request Tokens have a limited lifetime.

like image 53
Robert Levy Avatar answered Nov 18 '22 14:11

Robert Levy