On Wed, May 6, 2009 at 9:54 AM, Eran Hammer-Lahav <[email protected]>wrote:
> > No. That's what we are discussing... the need to add something like that. While it is true that the absence of a discovery system does make it less critical for a consumer to be able to automatically detect the new flow, it still appears to me to have practical value. For one, I believe this hint could help consumers who wish to inter-operate with 1.0 and 1.0A. Some 1.0A service providers may choose to reject (instead of just ignore) an oauth_callback parameter in the exchange step. While this would be a valid interpretation of the spec, it would break a consumer's only other reasonable automatic strategy. Also on general principle, it seems valuable to have a negotiation phase for "optional" parameters so that both sides of the exchange know what to expect at the same step. Without some sort of callback_accepted parameter in the request token response, the consumer is left in the dark until after the approval step. I understand the desire to keep the spec change minimal, but it seems that a callback_accepted parameter would have value. It's simple, clear, and simplifies reasonable cases. Mike > > > EHL > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] On Behalf > > Of Jonathan Sergent > > Sent: Wednesday, May 06, 2009 9:48 AM > > To: [email protected] > > Subject: [oauth] Re: OAuth Core 1.0 Rev A, Draft 2 > > > > > > The callback_accepted parameter isn't part of the draft spec, is it? > > > > On Wed, May 6, 2009 at 9:40 AM, John Kemp <[email protected]> wrote: > > > > > > On May 6, 2009, at 11:49 AM, Brian Eaton wrote: > > > > > > [...] > > > > > >> However, existing clients have hardcoded callback URLs on their > > >> approval URLs. If the consumer code can detect that the service > > >> provider supports OAuth 1.0a, it can automatically correct that > > >> problem by stripping the callback URL off the approval URL. If the > > >> consumer code can't detect service provider version, then we're > > going > > >> to end up in situations where different callback URLs are sent on > > both > > >> the request token step and the approval step. > > > > > > Wouldn't the consumer detect that the SP supports the new flow by > > > seeing that there is the callback_accepted parameter on the initial > > SP > > > response? If not, it can repeat the request with the old flow. > > > > > > - johnk > > > > > > > > > > > > > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
