On Tue, Apr 28, 2009 at 7:32 AM, Dossy Shiobara <[email protected]> wrote: > And yes, making request tokens one-time only is a MUST, IMHO.
This is a terrible idea for consumers that can't receive callback URLs. For those consumers users are going to have to manually type in a callback token. There will be typos. Under the "single use request token" proposal, those users will then have to go back through the entire OAuth approval process to get another callback token. It's fine to limit the number of unsuccessful exchange attempts, but a limit of one is too low. Five attempts is more reasonable. Limiting the number of successful exchange attempts to one makes sense. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
