On Thu, Apr 30, 2009 at 2:14 PM, Owen Evans <[email protected]> wrote:
> Ok but can I just confirm that the only way to do late binding is to have > some parameter in the callback that identifies which Request Token was > authorised/denied? Just want to make my understanding clear as there's > nothing in the spec that says how this should be passed around (i.e. should > it be oauth_token parameter sent on the query string of the callback, should > this kind of thing be standardised? because really you want the SP to > generate the callback parameters and not just take the oauth_callback > verbatum as this could lead to a process just as easily worked around) Section 6.2.3 of the spec: After the User authenticates with the Service Provider and grants permission for Consumer access, the Consumer MUST be notified that the Request Token has been authorized and ready to be exchanged for an Access Token. If the User denies access, the Consumer MAY be notified that the Request Token has been revoked. If the Consumer provided a callback URL in oauth_callback (as described in Consumer Directs the User to the Service Provider (Consumer Directs the User to the Service Provider) <http://oauth.net/core/1.0/#user_auth_redirected>), the Service Provider constructs an HTTP GET request URL, and redirects the User’s web browser to that URL with the following parameters: oauth_token: The Request Token the User authorized or denied. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
