That's a matter for how servers handle their consumer keys and registrations.
If no oauth_callback is present in the first step (1.0a), a server can:
1. Reject the request
2. Allow the request but only for clients registered as desktop, and properly
inform the user ("An application running on your computer (not a web site) has
requested access").
3. Show a big red warning that the user must not grant access unless they know
where they came from, etc.
Deciding what to do is up to each server based on its own security
requirements. Making desktop applications use the verifier is bad user
experience as it adds no real value there, but it does make the entire API more
secure and more difficult to trick users.
EHL
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On Behalf
> Of Luca Mearelli
> Sent: Thursday, April 30, 2009 8:54 AM
> To: [email protected]
> Subject: [oauth] Re: OAuth Core 1.0 Rev A, Draft 1
>
>
> On Thu, Apr 30, 2009 at 5:38 PM, Eran Hammer-Lahav
> <[email protected]> wrote:
> > Also, do we need another value to indicate a desktop client that
> doesn't need the verifier?
>
> Will the revised protocol allow for (desktop) consumers who *don't
> need* the verifier or should the protocol ask for *manual input* of
> the verifier?
> If the former then maybe the attack could be done by using one of
> those clients who don't require the verifier ...
>
> Luca
>
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [email protected]
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
