Hi, > I'm wondering should the server try to redirect the end user back to the > consumer first, provided the consumer did register a callback ? The consumer > will recognize that no verifier is available and will reply back to the end > user : "can not access your resource because the server thought my request > token was invalid" (just an example), so it will be the responsibility of > the consumer as to what to say if the request token expired or something. > > Though if no callback is available then the server will have to reply to the > end user indeed...
I got suggested by current OAuth providers, i.e. google or twitter show information about invalid request on the server side. Approach that error response is sent to the client is I think included in current OAuth 2.0 spec. Hovewer callback_uri is required there either through preregistration or request parameter, in 1.0, as you mentioned may not be available. I would go with server response to the user as it solves both cases where callback is available or not. WDYT? > > > >> So far I use RequestDispatcherProvider, but I am stuck a bit, hot to >> perform a conditional redirection (i.e. depends on object passed to >> MessageBodyWriter). >> I haven't found any easy way to do that. I can write custom >> RequestDispatcherProvider based on existing one, but maybe there is >> easier way? >> >> Perhaps a simpler option is to handle it by using > Response.seeOther(relativeUri) in a service provider method which does the > validation which will redirect the user to a dedicated method handling > errors... Thanks, that's simpler way:). Cheers, Lukasz > > cheers, Sergey > > Thanks for help. >> >> Cheers, >> Lukasz >> >
