On Thu, Apr 30, 2009 at 4:50 PM, Eran Hammer-Lahav <[email protected]> wrote: >> Really, why not bump the version to 1.1? Is there real magic behind >> the version number? What's the point of versioning the protocol if revving >> it is painful? > > Because the version has nothing to do with the authorization flow. It is > about the signature method. We are not changing that. Keep in mind that there > are plenty of 2-legged clients out there and there is no need to break them.
I agree that we shouldn't break the two legged clients, but disagree that the version number is only for signatures. The handling of the HTTP request flow is very important, and the fact that we need a way to signify that it has changed underscores that. We shouldn't increment the version number in this case (I was and remain in opposition to pre-determining the versioning approach, since it doesn't work here, and there's no guarantee that it will continue to work). How about the following: - If the version = 1.0 (or not present) and the oauth_callback parameter *is* present upon obtaining a request token, then the flow should be assumed to be Rev. A. - If the version = 1.0 (or not present) and the oauth_callback parameter *is* present upon sending the user to the authorization endpoint, the consumer should be assumed broken (i.e., OAuth 1.0 without Rev. A.) and a notice indicating as such should be displayed to the user. For example: "We cannot safely identify the service that sent you here. Please contact them <include contact info for service> and encourage them to upgrade their integration with <service provider>." or something to that effect. - Upon redirect (i.e., not desktop/mobile flow), if a verification code is sent, but the consumer does not include it in the request token exchange step, produce an error and refuse to continue. This isn't the greatest experience for the end user, but hopefully consumers will get complaints "It didn't work!" that way, and will fix it. No version changes required, no "oob" value for the callback parameter required, either. b. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
