Hi Florent,

I certainly couldn't see anything in the spec that addresses sending  
OAuth parameters using a combination of GET, POST or Authorization  
headers.

While I certainly think that it's a strange thing to do (seems like  
more work for the Consumer Developer), I think as a Service Provider  
you should support such a situation. I don't have any technical  
rationale for this, I just think it's consistent with the Postel's Law  
("be liberal in what you accept and conservative in what you do"). I  
don't see any downside to accepting such behaviour, so why not make it  
easier for those who do it?

Cheers,
Paul

On 2009-10-21, at 4:31 AM, Florent wrote:

> Hi everybody,
>
> I'm in pain figuring out whether the oauth_verifier can be sent back
> from the consumer to the provider in the body of a POST request when
> other parameters are sent in the authorization header.
>
> Here is my situation: I provide an API with OAuth, and one of our
> users complains he cannot get an access token. Looking at the request,
> he sent "usual" signature parameters in the header, and sent the
> oauth_verifier in the body.
>
> * Looking at the spec in the section about sending parameters to the
> provider (http://oauth.net/core/1.0a#consumer_req_param), parameters
> should be sent in the authorization header (prefered) or in the
> request body (second choice) or (... we don't care about this one).
> But it is not forbidden to mix the places !
>
> * Looking at the 9.1.1 part (http://oauth.net/core/1.0a#anchor13)
> about collecting the consumer's parameters, the parameters must be
> collected from various places. So it seems that the consumer can mix
> the places.
>
> So I have 2 questions:
> 1. Can the consumer send oauth parameters from various places (I
> understand oauth parameter as being part of the signature) ?
> 2. Is the oauth_verifier parameter, sent to the provider when
> requesting an access token, a parameter part of the signature, or just
> a request parameter?
>
> My understanding is that oauth_verifier is a regular oauth parameter,
> so it's part of the signature, and that all signature should be
> included in a single place.
>
> He tells me that the library he uses (a .net lib) works well with
> Twitter and Google amongst others. But it won't work with the one I
> use (Ruby OAuth + Rails OAuth plugin).
>
> Who's right here?
>
> Thanks,
> Florent.
>
> >


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"OAuth" group.
To post to this group, send email to oauth@googlegroups.com
To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to