Option 1. The others are a waste of time and introduce unnecessary
incompatibilities. If we had more leeway to make changes now, I would vote
for remove the oauth_version parameter because it is underspecified and
generally sucks but nobody agreed with me about this in 2007 either.
On Fri, May
Since you didn't take our suggestion to call the callback token the
Breno Token we could at least go for oauth_version=brenodemedeiros.
On Fri, May 1, 2009 at 2:41 PM, Eran Hammer-Lahav e...@hueniverse.com wrote:
How about we change the current version to 0.9 because it is clearly not a
disagreeing.
— Matt
On May 1, 2009, at 1:44 PM, Jonathan Sergent wrote:
Let me additionally say that this discussion is dangerous and voting
is no way to design a protocol. What are the arguments in favor of
changing the version number, and what are the arguments against
changing it? I haven't
I can't help but think that if our libraries were good enough, people
wouldn't run into these problems in the first place. Maybe I'm too
optimistic, but I would hope that most people using OAuth never have to
implement the parameter encoding themselves.
There were really specific reasons we did
On Sat, Apr 25, 2009 at 10:48 PM, Eran Hammer-Lahav e...@hueniverse.com wrote:
Let's see if we can take a quick break from the discussion and get a sense of
where we are. Please answer the questions to follow.
---
We have identified 2 solutions listed here:
On Apr 25, 1:19 pm, Josh Roesslein jroessl...@gmail.com wrote:
Yes we would need a way to still allow for manually providing these device
the callback token.
The user can directly visit an authorization URL since their will be no
callback.
On Sat, Apr 25, 2009 at 1:38 PM, Josh Roesslein jroessl...@gmail.com wrote:
As for the timing to apply this change, I think it would be worth it taking
the extra time to get it right. Most providers I think have already found
quick fixes
to block this session fixation attack.
Really? The
the token for the user to
manually enter.
On Sat, Apr 25, 2009 at 3:39 PM, Jonathan Sergent serg...@google.com
wrote:
On Sat, Apr 25, 2009 at 1:38 PM, Josh Roesslein jroessl...@gmail.com
wrote:
As for the timing to apply this change, I think it would be worth it
taking
the extra time to get
On Thu, Apr 23, 2009 at 6:43 PM, Dossy Shiobara do...@panoptic.com wrote:
On 4/23/09 9:26 PM, Brian Eaton wrote:
That's not a good user experience, nor is it necessary to fix the
security problems in the protocol.
Let me say it another way: yanking support for OAuth in response to
security