On Thu, Apr 1, 2010 at 11:22 AM, David Recordon <record...@gmail.com> wrote: > On Thu, Apr 1, 2010 at 9:51 AM, Marius Scurtescu <mscurte...@google.com> > wrote: >> Hi Luke, >> On Wed, Mar 31, 2010 at 10:28 PM, Luke Shepard <lshep...@facebook.com> wrote: >>> At first, I had the same first reaction as Marius, but after reading this >>> thread, I agree with Eran. Two observations: >>> 1/ OAuth endpoints are usually already namespaced as "oauth" - if there are >>> other endpoints that accept custom parameters, they can be defined >>> elsewhere. For example: >>> https://www.google.com/accounts/OAuthAuthorizeToken >>> https://api.login.yahoo.com/oauth/v2/request_auth >>> http://twitter.com/oauth/authorize >> >> The fact that the endpoint URL has "oauth" in it will not prevent any >> collisions. > > I think Luke's point is that OAuth deployment today is not being done > by complex frameworks which add their own parameters, rather the > majority of deployers make custom endpoints specifically for OAuth. I > also don't see how the Authorization Server's web framework would add > random parameters given that an unknown client is making the HTTP > request to it.
Not random, they can be query parameters that are part of the published URL, something like: http://example.com/auth?mode=oauth Also, not only the Authorization Server URLs can receive OAuth parameters in the query, the same applies to the client callback URL, and that one definitely can have random parameters. Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
