On Thu, Apr 30, 2009 at 7:02 PM, Mike Malone <[email protected]> wrote: >> oauth_callback in 2nd step: >> >> - Present and wasn't in 1st step - no verifier requirement if allowed by >> the server, potential stronger warning (should be deprecated eventually) ... > So there's a loophole.
A more draconian way would be to never take into consideration the oauth_callback sent in 2nd step, allowing as valid only callbacks sent in 1st step, the choice would be simpler for the SPs. >From Eran's summary of the proposal there are three ways to close the loop: (1) Verifier + Callback (2) Verifier + Manual entry (3) No verifier + manual 'continue' The options for the SP would be: oauth_callback in 1st step: - Present with value - do (1) - Present with empty value - do (2) - Not included in request - do (3) oauth_callback in 2nd step: - Present and wasn't in 1st step - do (3) (or give error if deprecated) - Present in both 1st and 2nd steps - error - Not included in redirection - do (3) Luca --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
