On Tue, Jul 14, 2009 at 10:45 AM, Manish Pandit<pandit.man...@gmail.com> wrote: > > > > On Jul 13, 4:48 pm, Richard Wallace <rwall...@thewallacepack.net> > wrote: >> The OAuth spec section 6.2.3 states that "If the User denies access, >> the Consumer MAY be notified that the Request Token has been revoked." >> At first I was thinking that I would just flag the request token as >> being denied on the service provider and then when the consumer tries >> to swap tokens specify that the oauth_problem is permission_denied. >> But when the service provider redirects the user to the consumer >> callback URI, should I still pass the verifier parameter or not >> bother? >> >> Is this the "right way" to let the consumer know the request has been denied? >> >> Thanks, >> Rich > > Ideally the verifier should only be generated after the user has > permitted/authorized the consumer. So, the callback will not carry a > verifier if the user has declined the authorization.
Ok, cool. That's kind of what I was thinking too. My main concern is the consumer throwing out the callback if there is no verifier present. That will either mean the consumer is treating it as a denial (best case) or that the consumer will assume nothing happened and redisplay a button or something for the user to try and authorize the token again, basically reusing the same, already denied request token. > > Another way is to not callback at all, and have the consumer try to > convert the token to an access token, How would you have the consumer try and convert the token to an access token without doing the callback? That's part of the point of the callback, is to let the consumer know that the user has approved/denied the token, isn't it? > and return HTTP 401 indicating > that the request token being attempted to be converted is not > authorized. I've already got that setup, I'm just not exactly sure how to get to this point as it's not really specified in the spec so different service providers and consumers could, possibly, implement it differently. Rich > > -cheers, > Manish > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---