Re: [OAUTH-WG] defining new response types

I like splitting on space like scopes. But I'm fine with registering all possible compositions that make sense, if you prefer. As I posted to the group about a month ago, we are planning on supporting response_type=none response_type=code response_type=token response_type=signed_request token

[OAUTH-WG] Proposed OAuth Extensions

Hi fellow OAuthers, As we discussed at the meeting there are a few extensions that we'd like to implement. To do this, we'd like the response_type to be extensible. We are proposing two new values. none and signed_request token (and token signed_request for symmetry). Or if you want to turn

Re: [OAUTH-WG] Request sent to http: instead of https:`

At Facebook we issue an HTTP 400 with invalid_request as the error. http://graph.facebook.com/me?access_token=blahclient_id=150629244948164 (the client_id is to enable draft-10 error messaging). Without client_id you get a different error message (JSON as well, but not OAuth2 compliant).

Re: [OAUTH-WG] Facebook updates to Draft 10

for this field. Best, On 9 sept. 2010, at 20:43, Paul Tarjan wrote: Hi Fellow OAuthers, We just updated our Graph API's OAuth2 implementation to be draft 10 complaint. Yay! Well, I should say we are pretty close to draft 10. Some places we differ: * For now errors

Re: [OAUTH-WG] Returning HTTP 200 on Error for JSONP

user. }); Aaron On Sun, Aug 15, 2010 at 10:16 PM, Luke Shepard lshep...@facebook.com wrote: +1 On Aug 13, 2010, at 2:31 PM, Paul Tarjan wrote: Hi Fellow OAuthers, If a resource wants to return data via the JSONP mechanism then it MUST return an HTTP 200 error code, or else

[OAUTH-WG] Returning HTTP 200 on Error for JSONP

Hi Fellow OAuthers, If a resource wants to return data via the JSONP mechanism then it MUST return an HTTP 200 error code, or else the browser won't actually call the callback. The OAuth spec as it stands requires HTTP 400 or 401 or 403 on errors which won't ever tell the client that an error

Re: [OAUTH-WG] proposal for signatures

Hi OAuthers, First of all, I think I should introduce myself. I work at Facebook on the Platform team (anything not facebook.comhttp://facebook.com). Before this I was at Yahoo! doing SearchMonkey (semantic web stuff). I've written a few OAuth applications and libraries, both at Yahoo and in

Re: [OAUTH-WG] Understanding the reasoning for Base64

We don't think base64url will work, because the most common error we'll see is that developers forget the url part and just do plain base64, and that's not sufficient because the stock set includes +. I think forgetting to url-decode is more likely than doing the wrong base64 encoding.