Jin Liu wrote: > Hi all, > > While reading the OAuth Core 1.0 spec, one question arises about > section 6.2.1 'Consumer Directs the User to the Service Provider'. The > description about the oauth_token parameter says the Request Token is > optional and when the accept requests to the User Authorization URL > does not contain the token, service provider will prompt the User to > enter it manually. > > My question is what is the reason behind for the Request Token to be > optional? If the user has to enter it manually, where does the user > get this token? >
The use case here is when the consumer is not able to display a web browser. The solution imagined here is that the consumer will tell the user the request token and ask him to go to a web-capable device and go to the URL in question. I don't think I'm alone in being skeptical that this would work in practice without some special support on the SP for issuing short request tokens and a short approve URL, but that's how it stands. I suspect that some implementations ignore the requirement you mention and will fail if the request token is not provided in the URL. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
