On May 6, 2009, at 5:28 PM, Allen Tom wrote: > Brian Eaton wrote: >> Use case is consumers and service providers trying to transition to >> OAuth 1.0a in parallel without creating down time or needing to "all >> hold hands and jump together". > > I still don't quite see the problem. If the issue that that the > Consumer doesn't know if the SP supports 1.0 or 1.0a, then the > Consumer should pass the callback URL both to the Request Token Step > (in case the SP understands 1.0a) AND to the Authorization Step (in > case the SP is still on 1.0). > > Presumably, an SP that understands 1.0a will ignore the callback > from the Authorization step, while a 1.0 SP will ignore the callback > sent on the Request Token step. > > Am I missing something?
I think it would be nice if the consumer could determine whether the SP supports 1.0a _before_ it redirects the user to the SP. The two parties should agree on the protocol flow before the redirect. As a consumer I would like to know whether an SP supports the new flow -- when I attempt to use the new flow. As an SP, I would like the option to treat a situation where I get a callback in both steps as an error in the protocol flow. Regards, - johnk --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
