On 29/04/2009, at 6:40 AM, Jesse Myers wrote: > Upon receiving the callback, the Consumer should try to get an Access > Token. You should return a 401 to indicate that authorization was > denied.
Yup, cool. So, section 6.2.3 of the spec says: After the User authenticates with the Service Provider and grants permission for Consumer access, the Consumer MUST be notified that the Request Token has been authorized and ready to be exchanged for an Access Token. If the User denies access, the Consumer MAY be notified that the Request Token has been revoked. My reading was that there was some way of representing the revocation (lack of authorization) in the callback. What I'm hearing here, though, is that there isn't ... or at least no standard way. -- cheers, Mike Williams --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
