ha. must be blind... thanks (feeling slightly stupid) Owen 2009/5/1 Mike Malone <[email protected]>
> On Thu, Apr 30, 2009 at 2:14 PM, Owen Evans <[email protected]> wrote: > >> Ok but can I just confirm that the only way to do late binding is to have >> some parameter in the callback that identifies which Request Token was >> authorised/denied? Just want to make my understanding clear as there's >> nothing in the spec that says how this should be passed around (i.e. should >> it be oauth_token parameter sent on the query string of the callback, should >> this kind of thing be standardised? because really you want the SP to >> generate the callback parameters and not just take the oauth_callback >> verbatum as this could lead to a process just as easily worked around) > > > Section 6.2.3 of the spec: > > After the User authenticates with the Service Provider and grants > permission for Consumer access, the Consumer MUST be notified that the > Request Token has been authorized and ready to be exchanged for an Access > Token. If the User denies access, the Consumer MAY be notified that the > Request Token has been revoked. > > If the Consumer provided a callback URL in oauth_callback (as described in > Consumer Directs the User to the Service Provider (Consumer Directs the > User to the Service > Provider)<http://oauth.net/core/1.0/#user_auth_redirected>), > the Service Provider constructs an HTTP GET request URL, and redirects the > User’s web browser to that URL with the following parameters: > > oauth_token: The Request Token the User authorized or denied. > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
