On 15 July 2010 15:59, Justin Richer <[email protected]> wrote: > +1 on OAuth2 header, and I also want to see oauth2_token in URI and form > parameter methods. > > 1.0 clients will talk to systems that support both oauth2 and oauth1 > simultaneously. Most likely on the same PR endpoints as well. Since the > protocols are not backwards compatible, they should be able to coexist.
I tend to agree with Eran here – 1.0 clients talking to systems that support both OAuth 2 and OAuth 1 will notice no difference. The server will have to switch protocol handling, but can do so on the presence of OAuth 1 or OAuth 2-specific parameters. Clients using OAuth 1.0 shouldn't have to do anything, and shouldn't notice any change. This absolutely makes things a tiny bit more complicated for service providers that have already deployed OAuth 1 services and wish to move to OAuth 2, but frankly if the provider can't figure it out, they have larger problems (unless someone can provide a really compelling reason why switching in this way is actually really hard, I just can't buy it). OAuth is dead, long live OAuth. Right? I mean, you don't move the White House to another address every time you get a new president... b. _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
