How would a desktop client receive a callback? First it would need to be running a webserver to process the incoming http request and also the provider would need its IP address. Would a provider be registering each IP as a separate consumer? If this is the case than best option would to be generating each IP its own secrete so they can sign their callback.
I don't really see it practical for desktop clients to use callbacks. In this case we need to sacrifice a bit of user friendliness for security. After all is it that much work to copy and paste a string??? :\ On Sat, Apr 25, 2009 at 9:20 PM, John Kristian <[email protected]> wrote: > > Some desktop consumers can receive a callback, and want to use it to > improve the user's experience. > > On Apr 25, 6:03 pm, Josh Roesslein <[email protected]> wrote: > > I'm guessing you are referring to desktop-based consumers. Yes it is > > impossible to keep a secrete concealed in that situation. > > In that case the consumer would not being using callbacks anyways and > they > > should disable it with the proposed flag when registering with the > provider. > > With this flag set, providers will ignore the callback parameter. > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
