On 4/24/09 12:27 AM, Leah Culver wrote: > *1. One time only token exchange* > > I actually agree with the suggestion to keep the access token endpoint > one-time only. This means that you only get one chance to exchange a > request token for an access token.
Glad I'm not the only one. Thanks. > *2. No callback request parameter* > What about using a callback to guarantee a successful exchange? > > I'm a fan of eliminating the callback as a request parameter altogether. > Allow the consumer to register a callback when they register their > application. I've been trying to think of a scenario where a consumer > would want a dynamic callback, but I can't think of anything that can't > be dealt with (via a redirect) after the OAuth dance is over. What's the problem with requiring the callback URL in the server-to-server request for a request token, at which point the SP associates the URL with the request token, and no longer allowing it on the authorize URL? This would allow for dynamic callback URLs but eliminate an attacker's ability to manipulate the callback URL as long as they aren't privy to the consumer secret and request secret. -- Dossy Shiobara | [email protected] | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
