On Apr 23, 5:23 pm, pkeane <[email protected]> wrote: > Does this add the extra burden on the Provider of maintaining state > between A & C (i.e., being able to "remember" callback from A)? > Currently, it is the Consumer secret that ties these interactions > together. Again it is addressing the need to connect the action/user > in A with the action/user in C -- to "mix it in" with the out-of-band > understanding established in the consume secret.
Yes, you're right, but the Provider already needs to maintain some state regarding the oauth_token that is passed on step C, right? The problem here, AFAIU, is that the oauth_callback can be forged somehow tricking the end user. Having the oauth_callback being sent behind the scenes will remove this problem once and for all. The oauth_challenge proposal is a simple way of tying together (from the Consumer perspective) interactions. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
