On Thu, Apr 30, 2009 at 5:23 PM, Luca Mearelli <luca.meare...@gmail.com> wrote: > > wouldn't it help with detecting the consumers that are able to follow > the revised protocol even if unable to get the redirect? i.e. those > able to close the loop passing the verifier code but requiring the > user to input it since they cannot receive the callback.
Yes; that's a different thing, and maybe it makes sense to have some kind of "out-of-band" parameter for consumers that are unable to receive callbacks. However, I'd argue that this should happen not at the request token step, but beforehand, in the out-of-band configuration of consumers. That way if a downloadable consumer key / secret gets stolen (as they will), it's not possible for the attacker to use them on a website and avoid the verification key requirement. b. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---