Yes one of the design goals for Oauth-WRAP was to eliminate the request token.
It is very tricky for SPs to implement the Request Token due to data replication issues. The Request token could be issued to the client in one data center, and then immediately submitted by the browser to a different data center. This means that the data has to be very quickly replicated. On the client side of things, if the AS¹s approval screen is displayed in a popup window (like Facebook Connect) - it could be tricky to tricky for the client to pre-fetch the request token before displaying the ³Connect² button in order to get around popup blockers. Allen On 5/25/10 1:43 PM, "Murali VP" <[email protected]> wrote: > > A relatively less important question: > > Since the request token has been eliminated, the web server flow (3.6) > which comes close to the widely adopted OAuth 1.0's 3-legged oauth > flow but without much of a dance isn't backward compatible, is this a > known decision?
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
