On Jul 13, 4:48 pm, Richard Wallace <[email protected]>
wrote:
> The OAuth spec section 6.2.3 states that "If the User denies access,
> the Consumer MAY be notified that the Request Token has been revoked."
> At first I was thinking that I would just flag the request token as
> being denied on the service provider and then when the consumer tries
> to swap tokens specify that the oauth_problem is permission_denied.
> But when the service provider redirects the user to the consumer
> callback URI, should I still pass the verifier parameter or not
> bother?
>
> Is this the "right way" to let the consumer know the request has been denied?
>
> Thanks,
> Rich
Ideally the verifier should only be generated after the user has
permitted/authorized the consumer. So, the callback will not carry a
verifier if the user has declined the authorization.
Another way is to not callback at all, and have the consumer try to
convert the token to an access token, and return HTTP 401 indicating
that the request token being attempted to be converted is not
authorized.
-cheers,
Manish
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [email protected]
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
