request and access tokens in oauth
Can someone explain why request tokens must be exchanged for access tokens after user approval? Why not pretend the request token is the access token once the user has approved access?
Short Answer : To authenticate the Application.
Refer to YouTube's OAuth Process Flow Diagram
OAuth is a 3-Legged protocol. In this particular case, YouTube needs to authenticate two different entities - a) The user and b) The application who needs accss.
Now, after the user grants access (Step 10 in the diagram), YouTube knows that "User x wants to grant application Y access to YouTube". But it hasn't yet verified application Y. A rogue application can perform all the steps up to step 10 pretending to be a valid, known application - and such an action must be prevented.
In the last 3 steps, the application verifies itself to YouTube by signing the request. Once this is done, YouTube can safely provide an access token to the application.
The oauth system checks the request token and checks whether the access requested is permitted for that user. It then issues an access token (valid for a certain period) and digitally signs it.
The signature is important, as that is what shows that the system agrees that the requester is permitted the access that he has requested.
Take a look at: http://hueniverse.com/oauth/ for an easy-to-swallow guide to how the whole thing works.