If you're routing requests with a load balancer it's not so trivial. Instead of a substring match you're talking about a regex with negative lookahead matching -- that's why the presence of the signature param is essential to distinguishing between 2.0/1.0a.
On Thu, Jun 10, 2010 at 10:42 AM, Eran Hammer-Lahav <e...@hueniverse.com>wrote: > But in that case, all the other oauth_* parameters are missing. It's > trivial. > > EHL > > > -----Original Message----- > > From: Marius Scurtescu [mailto:mscurte...@google.com] > > Sent: Thursday, June 10, 2010 10:39 AM > > To: Paul Lindner > > Cc: Eran Hammer-Lahav; OAuth WG (oauth@ietf.org) > > Subject: Re: [OAUTH-WG] Identifying OAuth 2.0 vs 1.0 requests > > > > I run into the same issue. In section "4.2. URI Query Parameter", it > would > > help if the parameter name, oauth_token, was different from OAuth 1. > > > > Marius > > > > > > > > On Thu, Jun 10, 2010 at 9:41 AM, Paul Lindner <lind...@inuus.com> wrote: > > > I am talking about the resource server. Specifically I want to be able > > > to quickly determine if an incoming request is 1.0a vs 2.0. And since > > > this is a library it can't make a lot of assumptions about the > > > specific environment it's running in. > > > At first I thought I would check the oauth_version parameter. It > > > turns out the 1.0a spec says that it is optional. The only one that > > > is required for 1.0a is oauth_signature_method. > > > Sadly we're long past time to change the spec to optimize for this > use-case. > > > (It would have been better to have a parameter for oauth 2.0 that is > > > distinct from 1.0a) At the very least this message will live on in > > > the mailing list archives -- at best we document the proper way to > > > distinguish between the two versions somewhere. > > > On Thu, Jun 10, 2010 at 8:44 AM, Eran Hammer-Lahav > > > <e...@hueniverse.com> > > > wrote: > > >> > > >> The request is very different on the resource server. On the > > >> authorization server, why would you use the same endpoint? > > >> > > >> > > >> > > >> EHL > > >> > > >> > > >> > > >> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On > > >> Behalf Of Paul Lindner > > >> Sent: Thursday, June 10, 2010 8:24 AM > > >> To: OAuth WG (oauth@ietf.org) > > >> Subject: [OAUTH-WG] Identifying OAuth 2.0 vs 1.0 requests > > >> > > >> > > >> > > >> Hi, > > >> > > >> > > >> > > >> As I've been working through our oauth2 implementation I've noticed > > >> that it's not easy to disambiguate OAuth 1.0a vs 2.0 API calls based > > >> on the request parameters alone. Based on some investigative at the > > >> Shindig project it appears that the only standard way to to determine > > >> 1.0a vs 2.0 is by checking for the oauth_signature_method > > parameter. More info here: > > >> > > >> > > >> > > >> https://issues.apache.org/jira/browse/SHINDIG-1361 > > >> > > >> > > >> > > >> Has anyone else considered this use case? How did you solve it? > > >> > > >> > > > > > > _______________________________________________ > > > OAuth mailing list > > > OAuth@ietf.org > > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
