How will calling this 1.1 slow down the upgrade process? All libraries need to change to cover the new spec, so it doesn't matter what we call it. SP's can still support older clients by running 1.0 and 1.1 specs. This allows for older clients to perform upgrades to 1.1 before cutting them off. SP checks the oauth_version string in the request token request and then uses the correct library version to complete the flow.
On Thu, Apr 30, 2009 at 8:55 PM, Breno de Medeiros <br...@google.com> wrote: > > Since there is no discovery supported in OAuth, even if the version is > incremented, there is no way to know if an SP or consumer has upgraded > without actually running the flow. > > If you increment the version number, you will have to make a lot more > code changes in each library to configure behavior, and will slow down > adoption of the fix and complicate a transitional period where folks > might want to support the older flow with some mitigation > features/stronger warnings until it is safe to break compatibility. > > If we want better security, we go with the option that moves us > forward fastest. The easiest way to abandon 1.0 flow is to get > everybody upgraded to 1.0A. And developers are complaining that > incrementing the version number will slow things down. > > On Thu, Apr 30, 2009 at 6:26 PM, David Parry <devb...@gmail.com> wrote: > > seriously, I don't understand the reluctance to increment > > oauth_version. The new implementation is going to require work from > > both SPs and consumers, and neither is really going to know if other > > has upgraded without actually running the flow. At least, by > > incrementing the version, both the SP and the Consumer definitively > > know the required flow. > > > > > > -- > --Breno > > +1 (650) 214-1007 desk > +1 (408) 212-0135 (Grand Central) > MTV-41-3 : 383-A > PST (GMT-8) / PDT(GMT-7) > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
