- Consumer: client
- Service Provider: server
- User: resource owner
- Consumer Key and Secret: client credentials
- Request Token and Secret: temporary credentials
- Access Token and Secret: token credentials
Request Tokens are only good for obtaining User approval, while Access Tokens are used to access Protected Resources
The request signing workflow treats all tokens the same and the methods are identical. The two tokens are specific to the authorization workflow, not the signature workflow which uses the tokens equally. This does not mean the two token types are interchangeable, just that they provide the same security function when signing requests.
It is important to note, that even though the client credentials are leaked in such application, the resource owner credentials (token and secret) are specific to each instance of the client which protects their security properties.
servers should not use the client credentials alone to verify the identity of the client. Where possible, other factors such as IP address should be used as well.
- Note: this section provides a very nice interactive OAuth tool