Hi there,
This page was needed because of a security problem with some
browsers. When you need to log in we collect the username/password and
POST back to our code. In the old flow this POST would return a
redirect if you had approved the app. Some browsers re-submit that
same POST body to the other app, pretty much giving the app the users
password. This is the intended behavior in the HTTP spec if I recall,
but either way we nipped that in the bud by putting in the new page.
As far as custom callback variables: my OAuth 1.0a changes should
go out the beginning of next week and will allow dynamic callbacks
again. The code is done and reviewed but because of the backwards
incompatibility for desktop apps I am in a 7 day waiting period. With
a dynamic callback you can set whatever you like and not have to base
it on (easily spoofed) referrers.
Thanks;
– Matt Sanford / @mzsanford
Twitter Dev
On Jun 3, 2009, at 1:53 PM, Shannon Whitley wrote:
It looks like an intermediary page has been inserted between the oAuth
login and the redirect back to the application. The HTTP referrer is
now null. I was using the referrer to pass and retrieve dynamic
variables associated with the login. Is this new page a necessary
addition to the oAuth flow? Is there any word on the ability to pass
variables through the oAuth signon back to the application?
