I'm trying to figure out 2-legged OAuth on Jersey 1.17. I came across
http://java.net/projects/jersey/lists/users/archive/2011-05/message/92 but
that raises more questions.
I see where there is now a getPrincipal() and isInRole(java.lang.String
role) in DefaultOAuthProvider.Consumer.
Question 1) Doesn't this go against the OAuth spec? In my mind getPrincipal
== resource owner. The spec says that the request (access) credentials may
only be omitted only if the request is not tied to a resource owner.
oauth_token
The token value used to associate the request with the resource
owner. If the request is not associated with a resource owner
(no token available), clients MAY omit the parameter.
Question 2) If adding getPrincipal() and isInRole(java.lang.String
role) in DefaultOAuthProvider.Consumer really is not a mistake...
Where do you even attach a principal and roles to the consumer key?
registerConsumer doesn't take a list of roles and authorizeToken says
it is only for temporary (request) tokens.
-Chase