Hey Tom, Thanks again for your efforts! I'm now using 1.0a (setting a callback when requesting a token) and it works fine again.
My concerns now are to avoid the authorization multiplication ie. to prevent users from being asked several times for a permission they already gave. Shouldn't there be a mechanism that verifies that the application has already been authorized? In this application [1] described here [2], once the user has authorized the application, he can log in again and again without being asked for permission unless he goes to the profile and revokes the authorization intentionaly. [1] http://facebook-auth.appspot.com/ [2] http://facebook-python-library.docs-library.appspot.com/facebook-python/examples/oauth.html Here's the workflow (succession of pages with their respective status code or user actions): 1/ appspot home -> user clicks on login link -> appspot login (302) -> FB authorize (302) -> FB permissions.request (200) -> user click on authorize button -> FB permissions.request (302) -> appspot home (200) 2/ appspot home -> user clicks on logout link -> cookies are reset 3/ appspot home -> user clicks on login -> appspot login (302) -> FB authorize (302) -> FB permissions.request (302) -> appspot home (200) Is it possible to have the same behavior with 1.0a? Do I have to do something specific on my side? Or is it something that needs to be handled server-side? Cheers, Pierre On Sat, Nov 19, 2011 at 6:48 PM, Tom Hughes <[email protected]> wrote: > On 19/11/11 12:00, Pierre GIRAUD wrote: > >> As already said, I don't claim any specific version. Which is somewhat >> wrong. Or maybe the library I use does it for me. > > That is actually valid as 1.0 is the default, and 1.0a doesn't actually use > a separate version - it is triggered by the presence of the callback > parameter when creating a request token. > > You were in fact correct that I had broken 1.0a last night when I fixed the > 1.0 callback handling... That is now fixed, and we have 240 new assertions > in our test suite to try and make sure we don't break OAuth again in the > future. > > For the record you should use 1.0a if possible as 1.0 has security issues > and we should really stop allowing it - we just need to make Potlatch and > JOSM use 1.0a first... > > Tom > > -- > Tom Hughes ([email protected]) > http://compton.nu/ > -- ------------------------------------------------------------- | Pierre GIRAUD | http://pierrelebricoleur.blogspot.com | http://www.flickr.com/photos/pierregiraud ------------------------------------------------------------- _______________________________________________ dev mailing list [email protected] http://lists.openstreetmap.org/listinfo/dev
