On Jun 2, 1:39 pm, 24z <[email protected]> wrote: > Just two quick questions for clarity: > > 1.) Do I understand "Signed Callback URLs" correctly in that "signed" > here has nothing to do with generating a signature as described in > 1.0?
oauth_signature becomes a part of the process while calculating the signature for the get_request_token endpoint, i.e. it is encoded/ sorted/re-encoded etc. just like any other oauth parameter to generate the signature. > > 2.) Does "Signed Callback URLs" in essence mean that the Service > Provider returns a unique vetifier (= an arbitrary string) after > authorization that is therefore only known to the honest consumer/user > and must be send back to the provider when requesting the Access > token? > Right - signed callback URLs will ensure that no one can change the callback in the middle of the oauth-dance, as it is signed with the secret during the very first call (to get_request_token). The verifier is generated by the provider as a result of the authorize_token step and can be sent to the consumer via the callback parameter, or manually (if oauth_callback = oob). This verifier is then used as a part of the request to get_access_token, which BTW is signed too. > Did I get all of this right? And: What's the current status of OAuth > 1.0a. Is 1.0a an official version or is it still draft? > I believe 1.0a is in its 3rd draft dubbed as "implementer's draft" and no further changes were expected. This may need confirmation from the editor(s) though. Hope this helps! -cheers, Manish --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
