Eran,
Great stuff, I like the direction of this fix. My only worry is calling it 1.0a. I'd rather see this called 1.1. Two arguments: 1) this is an important change to the protocol. 2) there needs to be a clear message for providers who have upgraded to the latest protocol. The difference between 1.0 and 1.0a is far too small in high-level discussions, it might go unnoticed. I realize this may cause issue with the oauth_version parameter... but I don't think this is a change that should go unnoticed, ever. -Ben On Apr 30, 12:25 am, Eran Hammer-Lahav <e...@hueniverse.com> wrote: > Please review: > > http://oauth.googlecode.com/svn/spec/core/1.0a/drafts/1/oauth-core-1_... > > I did my best to keep the changes to a bare minimum and to avoid any > editorial changes to make comparison trivial: > > http://code.google.com/p/oauth/source/diff?spec=svn992&old=991&r=992&;... > > Some notes: > > 1. This is not ready for code! Please wait for a second draft before you > start making changes to libraries or your implementations. Given the small > scope of this change, I think it will be stable in the next draft. > > 2. Since this change is small, I would like to give it a short review period > before another draft. Please submit all your comments by May 8th. > > 3. This draft is missing a few new Security Consideration sections. It will > be added in the next draft but might be shared earlier on the list. > > 4. This revision does not change the value of the oauth_version parameter > which remains '1.0'. The reason for that is that the version has nothing to > do with the authorization workflow. It is specific to the signature methods > and parameter delivery methods. Telling the difference between the two > revisions is very simple: look for an oauth_callback parameter in the Request > Token step. > > 5. The reason why the oauth_callback parameter is now required with a 'oob' > value for manual entry is because the presence of the oauth_callback > parameter in the first step is the only indication which flow is being used. > Since some platforms have problem with empty parameters (they are dropped or > not sent on the wire), I decided to try and define a non-URL value (also made > the URL absolute). > > NOTE: Do no suggest ANY editorial changes that are not specific to the > changed sections. This is NOT an opportunity to improve the specification. If > you want to improve the specification in general, please provider feedback to > the Editor's Cut version. > > Tomorrow, I will post an updated Editor's Cut version as well as an update to > the IETF draft to include these changes. > > EHL --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
