Hi, I recently changed the way Signpost sends the oauth_callback. It now puts it in the Authorizaion header next to all the other oauth_* params, which seemed a sensible thing to do. Unfortunately, I only tested the 1.2.1 release against the major OAuth providers using out- of-band request, realizing too late that at least Twitter and FireEagle now break when supplying a callback. Duh.
I turned to the spec again and couldn't find anything that prohibits sending the callback in the Auth header. Any idea why this wouldn't be supported by service providers? It seemed to work fine when sending it in the URL query string, but then I had people complaining about how Signpost is not consistent about sending OAuth parameters... What's the right thing to do here? Thanks, Matthias PS: The symptoms for this actually differ. FireEagle simply gives me a 401. Twitter does not -- but its redirection to the callback will fail when the user grants authorization. It doesn't fail when the callback is passed in the URL! -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
