Hi Brian, 1) Telling the user to go to an error URL using a separate browser is reasonable and will work most of the time. There are some cases (especially for mobile devices) where it might be tricky to resolve issues if the user's mobile device and desktop browser are on different subnets (or are in different countries!) but this is probably the best compromise.
2) At least in Yahoo's case, we will definitely be issuing a Refresh Token for all flows. Allen On 4/22/10 5:44 PM, "Brian Eaton" <bea...@google.com> wrote: > A couple of comments on this profile. > > 1) Error URL > > I noticed that there was wide consensus that returning a > captcha-specific error was not going to be useful. That matches our > experience with ClientLogin [1] - very few developers properly handle > captcha. And if a developer is sophisticated enough to handle > Captchas, I would rather they just used a web browser in the first > place. > > However, lots of developers do tell users to visit the URL we return > in our error response. This is often sufficient to resolve whatever > problems are happening with the user¹s account. So I¹d like to see an > optional ³url² parameter returned with the ³invalid_credentials² error > code. Clients should instruct the user to visit that URL. > > 2) Is anyone actually going to implement this flow and not return a > refresh token? > > Cheers, > Brian > > [1] http://code.google.com/apis/accounts/docs/AuthForInstalledApps.html > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
