On Fri, Apr 17, 2009 at 12:27 PM, Dossy Shiobara <[email protected]> wrote: > > On Apr 17, 10:32 am, Breno <[email protected]> wrote: >> Sorry, Eran, but it is not an authentication protocol. An >> authentication protocol must be signed by the authenticator, not by >> the authentication requester. > > OMG YES! > > Can OAuth 1.1 _please_ fix this and make signing of the callback URL > by the OAuth producer back to the consumer a REQUIRED part of the > specification?
Why? OAuth doesn't need it. It's not an authentication protocol. Once you start going down this route, you'll realize that you also need replay-protection, etc., and before you know it you have re-invented OpenID. Dirk. > > Yes, I recognize that this may result in problems w/r/t URL length > limits as all the values are passed as query parameters in a GET > request, but it would be SO worth it. > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
