On Thu, Apr 1, 2010 at 9:51 AM, Marius Scurtescu <[email protected]> wrote: > Hi Luke, > On Wed, Mar 31, 2010 at 10:28 PM, Luke Shepard <[email protected]> wrote: >> At first, I had the same first reaction as Marius, but after reading this >> thread, I agree with Eran. Two observations: >> 1/ OAuth endpoints are usually already namespaced as "oauth" - if there are >> other endpoints that accept custom parameters, they can be defined >> elsewhere. For example: >> https://www.google.com/accounts/OAuthAuthorizeToken >> https://api.login.yahoo.com/oauth/v2/request_auth >> http://twitter.com/oauth/authorize > > The fact that the endpoint URL has "oauth" in it will not prevent any > collisions.
I think Luke's point is that OAuth deployment today is not being done by complex frameworks which add their own parameters, rather the majority of deployers make custom endpoints specifically for OAuth. I also don't see how the Authorization Server's web framework would add random parameters given that an unknown client is making the HTTP request to it. >> 2/ We should fight to keep URLs short and leave out redundant information >> where possible. We should leave out redundant information where possible. >> Here are two sample URLs. The first is 12% shorter than the second. >> http://facebook.com/oauth/authorize?mode=web_callback_access_request&client_id=123456789&callback=http://facebook.com/oauth/callback >> http://facebook.com/oauth/authorize?oauth_mode=web_callback_access_request&oauth_client_id=123456789&oauth_callback=http://facebook.com/oauth/callback > > Yes, shorter in general is better. In this case it is just a bit shorter, it > is > exactly 18 chars shorter, regardless of the URL length. What is this buying > us? End users don't have to type these URLs. > > > Marius > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
