Two questions:
1) How would the consumer know what spec is used on the service
provider? i.e. should it throw an exception if the
oauth_callback_confirmed is missing or set to anything but "true" ?
2) Also, in the example where there's no callback ("oob"), will the
service provider still return "true" for the oauth_callback_confirmed
parameter?
Best,
Jack
On May 13, 7:10 am, Eran Hammer-Lahav <e...@hueniverse.com> wrote:
> Please review:
>
> http://oauth.googlecode.com/svn/spec/core/1.0a/drafts/3/oauth-core-1_...
>
> Change log:
>
> http://code.google.com/p/oauth/source/diff?spec=svn997&old=994&r=997&;...
>
> The changes are:
>
> 1. Changed draft designation from discussion to implementer.
> 2. Added author, added 'Editor' designation.
> 3. IMPACT: Added required response parameter 'oauth_callback_confirmed=true'
> in 6.1.2.
> 4. Language changes in 6.2.3 (no impact).
> 5. Moved Security Considerations appendix to new section 11.
> 6. Added three new security considerations: 11.14-16.
>
> * Deadline for feedback is May 25th.
> * This is expected to be the last draft.
>
> EHL
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to oauth@googlegroups.com
To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
