The spec is largely silent on how the service provider notifies the consumer that the user denied access. A possible solution would be to pass OAuth Problem Reporting values (http://oauth.pbworks.com/ProblemReporting) to the callback URL and without a verifier, like this:
http://calback/url?oauth_problem=permission_denied On Sun, Feb 21, 2010 at 9:11 AM, Mahesh Venkat <[email protected]> wrote: > Hi, > > I recently implemented the 3-legged oauth as per the OAuth 1.0a specs. > During the implementation I am finding some gaps in the specs for error > scenarios. > We have oauth_callback url to redirect the user to the consumer app after a > successful user authorization. There are a number of exception cases where I > am not sure what the oauth specs are: > > > 1. What is the user interface or oauth interface, if the user denies > the authorization > 2. If there is system failure in presenting the authorization page to > the user, should the service provide redirect to the same oauth_callback > url of the consumer? > 3. When the service provider receives a request for user authorization > using the 'unauthorized' request token, if the token is invalid or expired > should the service provider redirect to the oauth_callback url or send a > 404 > error? > > Appreciate your response. > > -- > Regards > --Mahesh > > -- > You received this message because you are subscribed to the Google Groups > "OAuth" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected] <oauth%[email protected]>. > For more options, visit this group at > http://groups.google.com/group/oauth?hl=en. > -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
