Not necessarily. The provider builds the request_token, so it could simply include the callback_url in the request_token. If it does so, it must authenticate it (e.g., HMAC with a key known _only_ to the provider) so that an attacker cannot tamper and modify it.
On Thu, Apr 23, 2009 at 9:23 AM, pkeane <[email protected]> wrote: > Does this add the extra burden on the Provider of maintaining state > between A & C (i.e., being able to "remember" callback from A)? > Currently, it is the Consumer secret that ties these interactions > together. Again it is addressing the need to connect the action/user > in A with the action/user in C -- to "mix it in" with the out-of-band > understanding established in the consume secret. -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
