Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The question still is, are Facebook failing to associate the token with the application context that requested it?


Failing sounds like its a requirement for them to do it, but this is not true. If you send them just a token, then how would they associate it with the application? Like I said, in another flow where you send your client secret and a code to exchange for the token, they need to verify it and it would be a failure on their part if they didn't.


They have the client id when the token is requested, so they can associate the generated token with it by either keeping some state or encoding it in the token, no?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: