[oauth] Re: How should I distinguish between approved or denied authorization?
This was in an early draft. The callback included a parameter that told the client if access was granted or not. It was dropped because most people thought it wasn't needed. Adding another request (access token) isn't that significant for the cases where access was not granted. EHL On 4/28/09 1:40 PM, "Jesse Myers" wrote: Upon receiving the callback, the Consumer should try to get an Access Token. You should return a 401 to indicate that authorization was denied. On Tue, Apr 28, 2009 at 1:30 PM, Mike Williams wrote: > > On 28/04/2009, at 9:45 PM, J. Adam Moore wrote: > >>> How does one typically indicate, in the authorization callback, >>> whether the Request Token was approved or denied? > >> I think you send a 401 error... > > > Er, sorry, perhaps my question was unclear. Authorization of a > request token is an exchange between User and Service Provider. After > a rejected authorization, I want to notify the Consumer that it was > rejected, and the spec suggests that it "MAY" be done by invoking the > callback. What I want to know is, how should I let the Consumer know > the token was rejected vs approved? > > -- > cheers, > Mike Williams > > > > > > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: How should I distinguish between approved or denied authorization?
On 29/04/2009, at 6:40 AM, Jesse Myers wrote: > Upon receiving the callback, the Consumer should try to get an Access > Token. You should return a 401 to indicate that authorization was > denied. Yup, cool. So, section 6.2.3 of the spec says: After the User authenticates with the Service Provider and grants permission for Consumer access, the Consumer MUST be notified that the Request Token has been authorized and ready to be exchanged for an Access Token. If the User denies access, the Consumer MAY be notified that the Request Token has been revoked. My reading was that there was some way of representing the revocation (lack of authorization) in the callback. What I'm hearing here, though, is that there isn't ... or at least no standard way. -- cheers, Mike Williams --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: How should I distinguish between approved or denied authorization?
Upon receiving the callback, the Consumer should try to get an Access Token. You should return a 401 to indicate that authorization was denied. On Tue, Apr 28, 2009 at 1:30 PM, Mike Williams wrote: > > On 28/04/2009, at 9:45 PM, J. Adam Moore wrote: > >>> How does one typically indicate, in the authorization callback, >>> whether the Request Token was approved or denied? > >> I think you send a 401 error... > > > Er, sorry, perhaps my question was unclear. Authorization of a > request token is an exchange between User and Service Provider. After > a rejected authorization, I want to notify the Consumer that it was > rejected, and the spec suggests that it "MAY" be done by invoking the > callback. What I want to know is, how should I let the Consumer know > the token was rejected vs approved? > > -- > cheers, > Mike Williams > > > > > > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: How should I distinguish between approved or denied authorization?
On 28/04/2009, at 9:45 PM, J. Adam Moore wrote: >> How does one typically indicate, in the authorization callback, >> whether the Request Token was approved or denied? > I think you send a 401 error... Er, sorry, perhaps my question was unclear. Authorization of a request token is an exchange between User and Service Provider. After a rejected authorization, I want to notify the Consumer that it was rejected, and the spec suggests that it "MAY" be done by invoking the callback. What I want to know is, how should I let the Consumer know the token was rejected vs approved? -- cheers, Mike Williams --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: How should I distinguish between approved or denied authorization?
I think you send a 401 error... http://lmgtfy.com/?q=Error+401 On Apr 27, 11:42 pm, mdub wrote: > Section 6.2.3 of the spec says: > > If the User denies access, the Consumer MAY be notified that the > Request Token > has been revoked. > > How does one typically indicate, in the authorization callback, > whether the Request Token was approved or denied? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---