Since there is no discovery supported in OAuth, even if the version is incremented, there is no way to know if an SP or consumer has upgraded without actually running the flow.
If you increment the version number, you will have to make a lot more code changes in each library to configure behavior, and will slow down adoption of the fix and complicate a transitional period where folks might want to support the older flow with some mitigation features/stronger warnings until it is safe to break compatibility. If we want better security, we go with the option that moves us forward fastest. The easiest way to abandon 1.0 flow is to get everybody upgraded to 1.0A. And developers are complaining that incrementing the version number will slow things down. On Thu, Apr 30, 2009 at 6:26 PM, David Parry <devb...@gmail.com> wrote: > seriously, I don't understand the reluctance to increment > oauth_version. The new implementation is going to require work from > both SPs and consumers, and neither is really going to know if other > has upgraded without actually running the flow. At least, by > incrementing the version, both the SP and the Consumer definitively > know the required flow. > -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
