Why are the 'type' and 'immediate' parameters provided directly (in the URI), instead of indirectly (in the response to the request_uri)?
The text implies all other parameters have to provided indirectly. Is there any criteria for choosing whether a parameter MUST, MAY or MUST NOT be provided indirectly? The example doesn't match the text as it directly include a 'client_id' parameter. Allowing any parameters to be provided indirectly sounds more sensible. -- James Manger ---------- From: Nat Sakimura [mailto:[email protected]] Sent: Thursday, 27 May 2010 9:07 PM To: David Recordon Cc: Manger, James H; oauth Subject: Re: [OAUTH-WG] OAuth 2.0 Mobile WebApp Flow ... Client Requests Authorization type REQUIRED. The parameter value MUST be set to web_server request_url REQUIRED. Request file url from which the Authorization Server may obtain the request parameters Immediate OPTIONAL. The parameter value must be set to true or false... ... GET /authorize?type=web_server&client_id=s6BhdRkqt3&redirect_uri= https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 Host: server.example.com _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
