Mike Malone wrote: > You can kind of delegate individual requests with OAuth, depending on > what the use case is, by generating a signed URI and handing it off to a > fourth party to use. > > In the TweetDeck/TwitPic case, TweetDeck could generate a signed URI for > POSTing the desired tweet, then pass the URI off to TwitPic to actually > make the request. > > Note that this only works if the fourth party doesn't need to modify the > request parameters. However, they _can_ modify the request body as long > as the content-type isn't application/x-www-form-urlencoded (and the > provider hasn't implemented the draft spec for OAuth request body signing). >
This workaround of not using application/x-www-form-urlencoded points to what we really need for this solution to work: We need the ability for an app to generate a signature that allows another party to "fill in the blanks" while restricting what the other party is allowed to specify. I'm not sure exactly how this manifests on the wire, but at a high level that would facilitate use-cases such as Amazon S3's browser upload API, where the app gives the browser access to upload a file but the exact content of the payload is determined after the signature is generated. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
