Dossy Shiobara wrote: > On Apr 17, 10:32 am, Breno <[email protected]> wrote: > >> Sorry, Eran, but it is not an authentication protocol. An >> authentication protocol must be signed by the authenticator, not by >> the authentication requester. >> > > OMG YES! > > Can OAuth 1.1 _please_ fix this and make signing of the callback URL > by the OAuth producer back to the consumer a REQUIRED part of the > specification? > > +1
I would prefer that the callback contain a "callback token" that must be used in addition to the consumer key, consumer secret, request token, and request token secret to fetch the Access Token. This would allow the callback url to be used to identify the consumer, in the event that the consumer secret is compromised. Allen --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
