> -----Original Message----- > From: oauth@googlegroups.com [mailto:oa...@googlegroups.com] On Behalf > Of Blaine Cook > Sent: Thursday, April 30, 2009 9:11 AM > To: oauth@googlegroups.com > Subject: [oauth] Re: OAuth Core 1.0 Rev A, Draft 1 > > I agree that we shouldn't break the two legged clients, but disagree > that the version number is only for signatures.
Well, that was my reason when I put it there... > The handling of the > HTTP request flow is very important, and the fact that we need a way > to signify that it has changed underscores that. And eventually this will be addressed by discovery because we are going to have more than one authorization flow and each will have its own set of endpoints and parameters. > No version changes required, no "oob" value for the callback parameter > required, either. For the new flow (rev A), there are three options: 1. Verifier + Callback 2. Verifier + Manual entry 3. No verifier + manual 'continue' I am ok with: 1. oauth_callback with valid URI 2. Empty oauth_callback 3. No oauth_callback But I need to hear from library developers that this will work and not break on some platforms. Now, as for the old flow: 1. oauth_callback present in 2nd step 2. No oauth_callback anywhere #2 is the same as #3 above (and if we use the lack of parameter as indication, it will be identical in practice). #1 is up for each server to decide how to handle (scary warning, error, etc.). --- So I guess the proposal is: oauth_callback in 1st step: - Present with value - include verifier in callback and require to exchange tokens - Present with empty value - display verifier to user and require to exchange tokens - Not included in request - no verifier requirement if allowed by the server, potential stronger warning oauth_callback in 2nd step: - Present and wasn't in 1st step - no verifier requirement if allowed by the server, potential stronger warning (should be deprecated eventually) - Present in both 1st and 2nd steps - error - Not included in redirection - no verifier requirement if allowed by the server, potential stronger warning EHL --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
