The "type" and "immediate" were the two parameters that I had feedbacks that they want it in the URL. "type" being in the URL is that implementations are using it as a switch. "immediate" was to avoid creating two Request File in the case "immediate" did not succeed. In my original manuscript, neither of them were there in the URL.
As to the "example includes client_id in the URL" issue is concerned, the example is wrong. I should remove the client_id from there. All the request parameters MUST be provided through request file. The "request_url" MUST be provided in the URL. I am still not sure if "type" MUST be provided in the URL. Conceptually, it need not be there. It depends on how implementors feel. Any other parameters MAY be provided in the URL to override what is in the request_file, but the URL total length MUST NOT exceed 512 bytes. Would that be reasonable? =nat On Fri, May 28, 2010 at 1:12 PM, Manger, James H <[email protected]> wrote: > Why are the 'type' and 'immediate' parameters provided directly (in the URI), > instead of indirectly (in the response to the request_uri)? > > The text implies all other parameters have to provided indirectly. Is there > any criteria for choosing whether a parameter MUST, MAY or MUST NOT be > provided indirectly? > > The example doesn't match the text as it directly include a 'client_id' > parameter. > > Allowing any parameters to be provided indirectly sounds more sensible. > > -- > James Manger > > > ---------- > From: Nat Sakimura [mailto:[email protected]] > Sent: Thursday, 27 May 2010 9:07 PM > To: David Recordon > Cc: Manger, James H; oauth > Subject: Re: [OAUTH-WG] OAuth 2.0 Mobile WebApp Flow > > ... > Client Requests Authorization > > type REQUIRED. The parameter value MUST be set to web_server > > request_url REQUIRED. Request file url from which the Authorization > Server may obtain the request parameters > > Immediate OPTIONAL. The parameter value must be set to true or > false... > ... > > GET /authorize?type=web_server&client_id=s6BhdRkqt3&redirect_uri= > https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 > Host: server.example.com > -- Nat Sakimura (=nat) http://www.sakimura.org/en/ http://twitter.com/_nat_en _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
