On Fri, May 1, 2009 at 5:19 PM, Brian Eaton <bea...@google.com> wrote: > > On Fri, May 1, 2009 at 1:43 AM, Blaine Cook <rom...@gmail.com> wrote: >> 1. None. Applications that cannot receive callbacks (or that have >> static callback endpoints) should be configured as such in an >> out-of-band flow, along with the service provider issues the consumer >> key and secret. > > Just because the callback is preregistered doesn't mean an application > won't want to update it at runtime. For example, they might want to > add session state information or language preference information.
Sorry, I didn't mean to bias the question; I just sought to clarify what the intent of the option was. Further to the point, I think in general it should be assumed that desktop applications should never be allowed to update the callback to point at an HTTP URI, since that means attackers need only steal consumer keys from an installed application to perform the attack we're trying to correct for here. My preference is actually Breno's proposal, which is somewhat different than any of the options I presented above, somewhere between #1 and #2. b. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
