On Sat, May 2, 2009 at 12:17 PM, Blaine Cook <rom...@gmail.com> wrote: > Any concerns with moving forward with this wording? I believe it's > important to continue supporting desktop applications that do not have > support for entering verification codes, and this approach allows > service providers to signal in strong terms to a user that they should > only approve a request to verify a desktop application if they are > actively trying to do so.
I do agree with what you propose, but I don't think the new wording vs the old is enough to keep working those desktop apps that "do not have support for entering verification codes" as the revised spec says: "In order to ensure that the User granting access is the same User returning back to the Consumer to complete the process, the Service Provider MUST generate a verification code: a non-guessable value passed to the Consumer via the User and REQUIRED to complete the process." it seems that it doesn't allow closing the loop without the verification code being passed from consumer to service provider. (sorry if this sounds silly, I'm just trying to understand & help and i don't want to start a new infinite discussion ...) Luca --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---