On Thu, May 7, 2009 at 12:45 PM, Owen Evans owenmcev...@gmail.com wrote:
2009/5/8 Dirk Balfanz dirk.balf...@gmail.com
You didn't like my the verification code matches the request token
language?
Dirk.
IMHO that implies that the verification code value has some intrinsic link
code). In that case, the server doesn't have two strings to compare for
equality in Step 6.3.2. Instead, the SP would simply check that the
verification code is a valid signature on the request token.
Dirk.
What other flow do you have in mind?
EHL
On 5/5/09 2:04 PM, Dirk Balfanz
On Tue, May 5, 2009 at 11:32 PM, Dirk Balfanz dirk.balf...@gmail.comwrote:
On Tue, May 5, 2009 at 2:27 PM, Eran Hammer-Lahav e...@hueniverse.comwrote:
I’m not following. The server shows the user a string which the client
has to provide back to the server. The string the server gives
verify that the verification code is valid’ but I think the current language
is easier for developers to understand, and doesn’t prevent more
sophisticated implementations.
EHL
*From:* oauth@googlegroups.com [mailto:oa...@googlegroups.com] *On Behalf
Of *Dirk Balfanz
*Sent:* Tuesday
@googlegroups.com [mailto:oa...@googlegroups.com] *On Behalf
Of *Dirk Balfanz
*Sent:* Tuesday, May 05, 2009 11:48 PM
*To:* oauth@googlegroups.com
*Subject:* [oauth] Re: OAuth Core 1.0 Rev A, Draft 2
I agree it's not a huge deal, and people will probably realize that they
don't have to store
On Tue, May 5, 2009 at 1:20 PM, Eran Hammer-Lahav e...@hueniverse.comwrote:
Please review:
http://oauth.googlecode.com/svn/spec/core/1.0a/drafts/2/oauth-core-1_0a.html
Change log:
On Thu, Apr 30, 2009 at 5:28 PM, Josh Roesslein jroessl...@gmail.comwrote:
Dirk,
I see now what you are getting at. Yes I guess the SP could use a signature
to generate the verifier, so it would not need to persist it.
As long as the signature secrete changes ever so often, I don't think an
Section 6.3.2: The verification code received from the Consumer is
identical to the verification code provided to the User via the redirection
or manually.
I'm not sure this is the right way to describe what the SP needs to do. When
they redirect the User back to the Consumer in step 6.2.3, they
Is this Sign-in-with-Twitter supposed to be to sign into other sites using
your twitter account, as in sign into myhealthrecord.com using your twitter
account?
I don't think that's secure - OAuth is not an authentication protocol.
Dirk.
On Thu, Apr 16, 2009 at 5:15 PM, Ben Clemens