Line 837: "to indicates" s.b. "to indicate"
Section 6.2: Consumers that need to maintain compatibility with both 1.0 and 1.0a service providers are going to send oauth_callback on this step. We should be explicit about how to handle backwards compatibility here or we are going to end up with incompatible implementations. Specifically: - if the consumer sent the oauth_callback on the RT step, the oauth_callback on the authorization URL should be ignored. - if the consumer did not send the oauth_callback on the RT step, the oauth_callback may be accepted if the SP wants to be compatible with OAuth 1.0 Alternatively, we should give consumers a way to detect SP version, by having the SP return oauth_callback_accepted=1 in the request token response. I think this might be a better answer. 6.2.3 "non-guessable" should be "unguessable" "If the value of the oauth_callback parameter provided by the Consumer in the Consumer Obtains a Request Token (Consumer Obtains a Request Token) step was not oob (case sensitive), or a callback URL has been established by other means the Service Provider uses it to constructs an HTTP GET request, and directs the User's web browser to that URL with the following parameters added:" ... I know what you mean, and I'm having a lot of trouble parsing this sentence. Can you break this into smaller pieces? "If no callback URL was provided, the Service Provider MUST display the value of the verification code to the User and instruct the User to manually inform the Consumer that authorization has completed and provide the Consumer with the verification code." Same here, this sentence has too many clauses for easy comprehension. Appendix A.2: this does not demonstrate how to avoid an XSRF attack on the callback URL. Maybe add "&xsrf=<some-gibberish>" here? On Tue, May 5, 2009 at 1:20 PM, Eran Hammer-Lahav <[email protected]> wrote: > > Please review: > > http://oauth.googlecode.com/svn/spec/core/1.0a/drafts/2/oauth-core-1_0a.html > > Change log: > > http://code.google.com/p/oauth/source/diff?spec=svn993&old=992&r=993&format=unidiff&path=%2Fspec%2Fcore%2F1.0a%2Foauth-core-1_0a.xml > > The changes are minimal: > > 1. Define 'oob' as out-of-band > 2. Clarify that 'oob' is for any out-of-band configuration, not delivery of > verification code > 3. Minor language tweak > 4. Correct reference to first step > 5. Clarify that verification code should be displayed when no callback is > configured, not just via the oauth_callback parameter > > Deadline for feedback is still May 8th. If you provided feedback to draft 1 > which was not incorporated and still believe it should, please let me know. > If no changes are needed by Friday, I will promote this to an implementer > draft at which point developers will be encouraged to change their code. If > no changes are identified by developers, we will declare this draft final > 5/25. > > EHL > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
