I've been thinking about this for the last couple hours and agree with Leah and Zach. The best solution seems to be:
1) Single use tokens that are invalidated if you try to exchange them a second too early. 2) Either sign the callback parameter or eliminate it altogether. I'm using OAuth from a javascript widget that will be hosted on multiple domains. This makes the variable callback parameter very attractive to me and other widget developers. As Zach noted, we can mitigate the security concerns by simply signing the callback parameter. That said, there isn't any reason we can't add forwarding handlers to enable this functionality as well. I'm already having to do this for Yahoo since they don't support callback handlers on non- registered domains (which makes it funny that Yahoo were so quick to pull the plug). While I prefer that we keep the callback parameter, I understand Leah's desire to get OAuth back up and running ASAP. Any major changes to the protocol on the consumer end of things will put extra burden on a much larger group of developers. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
