I don't see a huge problem with the 'request token' phrasing (especially since it is clearly described in the spec) and 'intermediate token' probably wouldn't make things any more clear as to the function of the token. If it was changed, though, you could do something similar to Kerberos and call it a 'token granting token'...kind of like the Kerberos 'ticket granting ticket' (TGT).
Just my two cents. On Feb 25, 7:51 pm, anders conbere <[email protected]> wrote: > On Wed, Feb 25, 2009 at 1:58 PM, Seth Fitzsimmons <[email protected]> wrote: > > > My quick list: > > > * terminology - 'request a request token' > > I would prefer something like "intermediate token" (what does request > token mean?!) > > > * Handling of "required" empty parameters. > > * plaintext secret w/ empty access token (<something>&<blank>, not > > <something>) > > This is a little weird, but ends up being really easy to program for. > I could go either way. > > > * realm handling > > * clearer explanation of creating the signature base string (in my > > experience, this is the source of most problems) > > * explicit definition of 2-legged auth > > * sections 6 and 7 being approximately the same thing > > Having example input data and outputs of the resultant signature + > various intermediate data items (sbs, etc.) would be extremely > helpful. > > ~ Anders > > > > > seth > > > On Tue, Feb 24, 2009 at 3:25 PM, Eran Hammer-Lahav <[email protected]> > > wrote: > > >> I am getting ready to making a complete rewrite of the current OAuth spec. > >> The idea is to make it much easier to read without changing anything that > >> will impact implementation. This will be useful both for clarity but also > >> as > >> a better starting point for the upcoming OAuth effort at the IETF. > > >> What I would like to ask people who have read the spec or implemented it to > >> share as many problems, errors, failures, mistakes, misunderstandings, > >> wasted time, etc. caused by the spec not being clear enough. > > >> You can simply describe the error (did not sort parameter, did not > >> %-encode, > >> %-encoded twice, etc.) or the section of the spec you had to read 325 times > >> before it made any sense. > > >> Please reply to this thread so we have a public inventory of OAuth FAILs. > > >> EHL > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
