Because we didn't consider the callback a core part of the flow at the time. It was just a usability optimization (most providers at the time used a pre-registered callback). Also, the authorization call itself is not signed because in some cases, the application cannot redirect the user or launch a browser and will need to get the user to manually enter the request token. So a signature will not help in such cases.
EHL > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Josh Fraser > Sent: Friday, April 24, 2009 12:23 AM > To: OAuth > Subject: [oauth] Re: What's the back story on why the callback wasn't > included in the signature? > > > Sorry for not being clear. > > I mean the callback parameter that is included in the authorization > url. > > On Apr 24, 12:57 am, Eran Hammer-Lahav <[email protected]> wrote: > > Do you mean why the callback itself isn't signed? Or the parameter? > > > > EHL > > > > > -----Original Message----- > > > From: [email protected] [mailto:[email protected]] On > Behalf > > > Of Josh Fraser > > > Sent: Thursday, April 23, 2009 11:15 PM > > > To: OAuth > > > Subject: [oauth] What's the back story on why the callback wasn't > > > included in the signature? > > > > > It seems like a lot of the vulnerability concerns (at least from B- > C) > > > can be addressed by simply adding the callback to the signature. > Is > > > there a reason this wasn't included in the spec to begin with? I > want > > > to make sure I'm not missing something. > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
