On Sat, May 2, 2009 at 11:44 AM, Luca Mearelli <luca.meare...@gmail.com> wrote: > > I do agree with what you propose, but I don't think the new wording vs > the old is enough to keep working those desktop apps that "do not have > support for entering verification codes" as the revised spec says: > > "In order to ensure that the User granting access is the same User > returning back to the Consumer to complete the process, the Service > Provider MUST generate a verification code: a non-guessable value > passed to the Consumer via the User and REQUIRED to complete the > process." > > it seems that it doesn't allow closing the loop without the > verification code being passed from consumer to service provider. > > (sorry if this sounds silly, I'm just trying to understand & help and > i don't want to start a new infinite discussion ...)
Sorry, no, I'd just missed that part of the revised spec. I'm proposing to modify that for desktop / mobile consumers so that it's *not* required. There was some discussion of usability concerns; maybe those are unfounded, but it's worth noting that existing oauth-like flows for desktop applications (e.g., flickr auth) don't require a secondary key confirmation. Given that a service provider can reject any request that has a referrer set (because desktop mobile apps *must* be, by definition, referrerless), it's extremely difficult to exploit the desktop flow, since the attacker would need to get the user to follow a link from outside the browser and click "authorize" despite a strongly-worded warning. b. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---