Shak wrote:
Hi all,
I'm about to start working on incorporating OAuth in a project I'm
working on. I'll be a resource server, and will therefore have to
issue and manage tokens etc.
My question is regarding OAuth 2. Should I look to support the new
spec? I realise that it's a draft and in flux
Blaine Cook wrote:
We need to build some consensus around the version preference. As I
see it, there are several options:
1. 1.0 Rev A with no version string change (i.e., oauth_version=1.0)
2. 1.0a (with oauth_version=1.0a)
3. 1.1
option 3
Dossy Shiobara wrote:
On 4/30/09 7:19 AM, Blaine Cook wrote:
Looks good, with the exception of the 'oob' value – why not just say
that an empty OR absent callback parameter fulfills the same role as
'oob'? There are also plenty of service providers that require static
configuration of
Peter Keane wrote:
On Mon, Apr 27, 2009 at 10:50 AM, Eve Maler eve.ma...@sun.com wrote:
Peter, thanks for putting the PIN idea in context for me. This is
perhaps a dumb question, but since testing equivalence of the *user*
(a bag of protoplasm) is sort of a last-mile problem anyway, and
pkeane wrote:
This seems like it addresses the the hole adequately as long as an
attacker that cannot manipulate the callback url cannot succeed (I
think that's true...).
Further thought on this whole thing makes me think that a one-time
only token exchange plus a non-modifiable callback
