I'm trying to wrap my head around the token secret in OAuth 1.0a.
I've read the OAuth documentation and some Stack Overflow threads, but most of what I could find addresses the consumer secret (which I understand) and not the token secret.
I understand the consumer key and secret should not be exposed to the client application (the web browser in my case). It's used to authenticate my application with the oauth server and is only communicated from server to server and not to or from the browser.
What I'm struggling with is the token secret. I understand I receive the token secret once I've exchanged a request token for an access token. I also understand that the secret is used in the signing key when generating the oauth signature.
What I don't understand is what the purpose of this token is and whether it should be passed to the client, or stored only on my server.
If the value is supposed to be secret and only stored on my server, what additional benefit does it provide? The consumer secret already ensures that an attacker would not be able to use the access token without knowing my client secret, the token secret does not provide any additional protection.
If the value can be passed through to the browser, what purpose does it serve? Tokens and token secrets are issued at the same time and if they're always sent together, why is the second value useful at all?
Edit: The thread linked as a possible duplicate doesn't address whether the token secret should be stored on the browser or server, nor does it really clarify why having it provides any security in addition to the other three values.
