Authorization is currently NOT handled by the OAuth protocol, should be done by the service provider.