I have a simple idea to propose not as a solution, but hopefully to give someone an idea toward a true solution:
What if the callback URL is signed on the provider's end using the consumer's secret key? The drawback is it puts the burden on the consumer to close the security hole by checking the signature, and as such the provider has no way of knowing if an application is secure or not. Shan --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
