On Wed, Apr 21, 2010 at 2:34 PM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: >> -----Original Message----- >> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf >> Of Marius Scurtescu >> Sent: Monday, April 19, 2010 8:04 PM > >> 3.5.3.1 >> >> "an HTTP GET request to the authorization endpoint", should probably >> read: "an HTTP POST request to the token endpoint" (POST and token >> endpoint). > > The token endpoint only returns tokens. The authorization endpoint returns > codes... This is half of the authorization step.
I see how you made the distinction. I was assuming that the authorization endpoint will be hit only with browsers and the token endpoint only with direct calls from the client. This allows a clean separation of characteristics for the two endpoints and this is the reason with did not combine them. Following this logic, it is better for the above to use POST and the token endpoint. >> 5.2.2 >> >> If the entity body includes other parameters, is it worth requiring that >> oauth_token be the first one? > > Why not last? If was just following the same convention as in OAuth 1.0, see RFC 5849, section 3.5.2. Thanks, Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth