Allen, If the explicit action of the Client sending a Request Token is removed, how does OAuth do logging and auditing?
/thomas/ __________________________________________ From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Allen Tom Sent: Tuesday, May 25, 2010 10:17 PM To: Murali VP; oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth 2.0 questions/suggestions (based on draft 2-05) Yes - one of the design goals for Oauth-WRAP was to eliminate the request token. It is very tricky for SPs to implement the Request Token due to data replication issues. The Request token could be issued to the client in one data center, and then immediately submitted by the browser to a different data center. This means that the data has to be very quickly replicated. On the client side of things, if the AS's approval screen is displayed in a popup window (like Facebook Connect) - it could be tricky to tricky for the client to pre-fetch the request token before displaying the "Connect" button in order to get around popup blockers. Allen On 5/25/10 1:43 PM, "Murali VP" <mural...@gmail.com> wrote: A relatively less important question: Since the request token has been eliminated, the web server flow (3.6) which comes close to the widely adopted OAuth 1.0's 3-legged oauth flow but without much of a dance isn't backward compatible, is this a known decision?
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
