Ok, thankfully it seems here we have much more consensus. I don't see anyone disagreeing that we want an 'oob' value for the callback. I would like to make the following changes to the (proposed) spec so that consumers (or service providers) aren't required to add an extra verification code entry step for desktop consumers:
In 6.1.1: Change: oauth_callback: An absolute URL to which the Service Provider will redirect the User back when the Obtaining User Authorization step is completed. If the Consumer is unable to receive callbacks, the parameter value MUST be set to oob (case sensitive). To: oauth_callback: An absolute URL to which the Service Provider will redirect the User when the Obtaining User Authorization step is completed. This parameter is optional if the Consumer has provided, through alternate means, a static callback URL. If the consumer is unable to receive callbacks, the oauth_callback parameter is optional, but when present MUST be set to oob (case sensitive). and 6.2.3: Change: If no callback URL was provided (the value of the oauth_callback parameter was oob, case sensitive), ... To: If no callback URL was provided and the value of the oauth_callback parameter was oob (case sensitive), ... - end of changes Any concerns with moving forward with this wording? I believe it's important to continue supporting desktop applications that do not have support for entering verification codes, and this approach allows service providers to signal in strong terms to a user that they should only approve a request to verify a desktop application if they are actively trying to do so. b. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
