seriously, I don't understand the reluctance to increment oauth_version. The new implementation is going to require work from both SPs and consumers, and neither is really going to know if other has upgraded without actually running the flow. At least, by incrementing the version, both the SP and the Consumer definitively know the required flow.
The current approach seems more like a M$ product trying to maximise interoperability not a security protocol, that wants to be taken seriously. On May 1, 11:06 am, Breno de Medeiros <br...@google.com> wrote: > Yes, it does. > > If a server receives a request token request from a client that does > not include a callback_url, the server can respond with a 400 (Bad > Request) and, if you want to be more helpful say something in the body > like: "Incompatible OAuth flow. This server only supports 1.0a, see > <link to new spec>" > > On Thu, Apr 30, 2009 at 5:59 PM, David Parry <devb...@gmail.com> wrote: > > I don't have a problem with that, it makes perfect sense. > > > But the proposed spec doesn't provide any method by which to deprecate > > the old broken 1.0 functionality and convey that to the consumer that > > is making the request. > > -- > --Breno > > +1 (650) 214-1007 desk > +1 (408) 212-0135 (Grand Central) > MTV-41-3 : 383-A > PST (GMT-8) / PDT(GMT-7) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
