On Apr 25, 1:19 pm, Josh Roesslein <jroessl...@gmail.com> wrote:
> Yes we would need a way to still allow for manually providing these device
> the callback token.
>
> The user can directly visit an authorization URL since their will be no
> callback.
> Example:http://service.example.com/authorize/testconsumer
>
That's not safe - if the consumer *does* support callbacks, the bad
guy can try to use this flow. The SP won't know that the consumer
supports callbacks. Even if there is no callback URL, the authorize
URL must still be signed.
To support consumers that can't receive callbacks in a "signed
authorize URL" world, we would need a separate flow, which is one
argument that was being made in favor of the "signed callback URL"
flow.
(These names are a bit unfortunate - the callback URL gets signed in
either case, just as part of a different request.)
> This URL can be provided by the consumer device.
>
> Once the user visits this URL they are prompted to log in to the provider
> and approve access.
> Next the provider gives the user the callback token which they then manually
> enter into the device.
>
> Does that sound right?
>
>
>
> On Sat, Apr 25, 2009 at 3:04 PM, Brian Eaton <bea...@google.com> wrote:
>
> > On Sat, Apr 25, 2009 at 12:26 PM, Josh Roesslein <jroessl...@gmail.com>
> > wrote:
> > > Thanks for posting that Brian.
>
> > > I'm leaning towards signed approval URLs. Seems the best way to go IMO.
> > > Seems to solve the issues and also helps simplify the OAuth flow.
>
> > The major pain point of signed approval URLs is that we would lose
> > support for devices that either
> > a) can't open a web browser (because the signed approval URL is really
> > long)
> > or
> > b) can't receive a callback URL (because the callback token is really
> > long).
>
> > Signed callback URLs would let us keep request tokens and callback
> > tokens short enough to type or copy and paste.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to oauth@googlegroups.com
To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
