My quick list: * terminology - 'request a request token' * Handling of "required" empty parameters. * plaintext secret w/ empty access token (<something>&<blank>, not <something>) * realm handling * clearer explanation of creating the signature base string (in my experience, this is the source of most problems) * explicit definition of 2-legged auth * sections 6 and 7 being approximately the same thing
seth On Tue, Feb 24, 2009 at 3:25 PM, Eran Hammer-Lahav <[email protected]> wrote: > > I am getting ready to making a complete rewrite of the current OAuth spec. > The idea is to make it much easier to read without changing anything that > will impact implementation. This will be useful both for clarity but also as > a better starting point for the upcoming OAuth effort at the IETF. > > What I would like to ask people who have read the spec or implemented it to > share as many problems, errors, failures, mistakes, misunderstandings, > wasted time, etc. caused by the spec not being clear enough. > > You can simply describe the error (did not sort parameter, did not %-encode, > %-encoded twice, etc.) or the section of the spec you had to read 325 times > before it made any sense. > > Please reply to this thread so we have a public inventory of OAuth FAILs. > > EHL > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
