I'm also not happy that they are allowing bearer-token access to these resources via non-SSL requests. I'd hate to see such an insecure practice gain traction before the protocol is even out the door. (You just know that people will implement things "like facebook")
On Thu, Apr 29, 2010 at 8:24 AM, Pelle Braendgaard <pe...@stakeventures.com>wrote: > Just working on adding OAuth 2.0 support to the Ruby OAuth Plugin and > I noticed that the facebook documentations says to use the > access_token parameter like this: > > https://graph.facebook.com/me?access_token=... > (http://developers.facebook.com/docs/authentication/) > > But in the specs it specifies that it should use the oauth_token > parameter http://tools.ietf.org/html/draft-hammer-oauth2-00#section-5.2.1 > : > > When including the access token in the HTTP request URI, the client > adds the access token to the request URI query component as defined > by [RFC3986] using the "oauth_token" parameter. > > For example, the client makes the following HTTPS request: > > > GET /resource?oauth_token=vF9dft4qmT HTTP/1.1 > Host: server.example.com > > Does anyone know what the deal is. Will Facebook also support > oauth_token or will we have to support both types? > > P > > -- > http://agree2.com - Reach Agreement! > http://extraeagle.com - Solutions for the electronic Extra Legal world > http://stakeventures.com - Bootstrapping blog > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
