On Sun, Apr 26, 2009 at 11:42 AM, pkeane <[email protected]> wrote: > I would just mention that this proposal (essentially making the > callback url immutable)
a) that proposal does not make the callback URL "immutable". Consumers and SPs can both mess with it. It just makes sure the user at the browser doesn't mess with it. > limits the likelihood that the user who > authenticated w/ the SP is NOT user who requests an access token, it > does not actually verify that it is the same user. b) that's what the unpredictable callback token is for. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
