>From http://oauth.net/advisories/2009-1, SPs supporting older Consumer are suggested to display this text to the user:
“This website is registered with SERVICE_PROVIDER_DOMAIN_NAME to make authorization requests, but has not been configured to send requests securely. If you grant access but you did not initiate this request at CONSUMER_DOMAIN_NAME, it may be possible for other users of CONSUMER_DOMAIN_NAME to access your data. We recommend you deny access unless you are certain that you initiated this request directly with CONSUMER_DOMAIN_NAME.” -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre On Mon, Jul 6, 2009 at 4:21 PM, rwallace <[email protected]> wrote: > > Hey folks, > > I'm wondering what should be done for supporting consumers that don't > send the oauth_callback parameter when getting a request token. > Presumably this would be because they haven't been updated to support > the 1.0 Rev A specs yet. Should they be rejected and forced to > upgrade or is supporting consumers using the older protocol ok? > > Thanks, > Rich > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
