> - oauth_callback always required in the Request Token step to allow servers > to know which flow the client is using. To support manual verification code > entry or no verification code at all, we will use magic values (like 'oob' > and 'none').
If we depend solely on the presence of the oauth_callback parameter in the first step, we need to keep it required with one of two values: * Callback URI: Redirect to the specified callback. * 'oob': Continue as configured in the out-of-band registration process. Note that this definition of 'oob' is different from the one in the spec draft. It basically says, whatever the client and server agreed to do out-of-band will happen. This can be a pre-configured callback, manually displaying the verification code based on the client type, or not requiring a verification code at all if allowed by the server. Basically, ='oob' is the same as no oauth_callback in the current (broken) flow. The requirement to use the verification code can be waived by servers if they choose to do so for some clients. Either way, the spec does not need to address it, the same way a Consumer Secret can be an empty string... Clients must always include the oauth_verifier parameter but servers can choose to ignore it if they are not worried about the security implications. EHL --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
