We seem to be spending a lot of time on the question of how providers supporting both flows can tell which flow is being used. If they simply offer a new set of 3 endpoints: request token, authorize, and access token, this entire problem goes away. It also removed the need to make the oauth_callback mandatory in the new flow, or use literal strings to indicate out-of-band.
New flow endpoints - always requires verification code to get access token, which is delivered using a callback is available (via the parameter or registration), otherwise manually. Old flow endpoints - broken business as usual with scary language. This leaves all the actual API endpoints untouched, unchanged, unbroken. Any existing code will need to change to use the new flow which means it can as easily point to new endpoints. This is also consistent with how the discovery proposal works (which shows it is not a new idea). New providers have no reason to support the old flow. This is really only about 30 or so providers with OAuth endpoints *today*. Why not? EHL --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
