Hopefully that won't be necessary. The flow should be: - consumer that supports both 1.0 and 1.0a always passes oauth_callback parameter - service provider that supports 1.0a remembers that, returns callback token. - service provider that doesn't support 1.0a ignores oauth_callback.
On Mon, May 4, 2009 at 11:25 AM, Eran Hammer-Lahav <[email protected]> wrote: > > Would failing to get a Request Token because of missing oauth_callback > parameter in the request satisfy you requirement? > > EHL > >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On Behalf >> Of Brian Eaton >> Sent: Monday, May 04, 2009 11:22 AM >> To: [email protected] >> Subject: [oauth] Re: Security Fix Charter >> >> >> On Mon, May 4, 2009 at 11:14 AM, Eran Hammer-Lahav >> <[email protected]> wrote: >> > >> > Clients are always limited to what the server decides to support. If >> a server >> > only supports 1.0a, the client has no other options. So as long as >> servers >> > support both versions, clients will be able to use both versions... >> or am >> > I missing something? >> >> Some of the proposals discussed allow consumers to automatically >> detect the server version and do the right thing. >> >> Other proposals make that impossible, or difficult, or slow. >> >> I am strongly in favor of mechanism that make automatic detection easy >> and fast. >> >> > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
