Wouldn't it make sense to require the oauth_version parameter under 2.0
for resource calls so that the two versions can be distinguished?
Rob
Paul Lindner wrote:
If you're routing requests with a load balancer it's not so trivial.
Instead of a substring match you're talking about a regex with
negative lookahead matching -- that's why the presence of the
signature param is essential to distinguishing between 2.0/1.0a.
On Thu, Jun 10, 2010 at 10:42 AM, Eran Hammer-Lahav
<e...@hueniverse.com <mailto:e...@hueniverse.com>> wrote:
But in that case, all the other oauth_* parameters are missing.
It's trivial.
EHL
> -----Original Message-----
> From: Marius Scurtescu [mailto:mscurte...@google.com
<mailto:mscurte...@google.com>]
> Sent: Thursday, June 10, 2010 10:39 AM
> To: Paul Lindner
> Cc: Eran Hammer-Lahav; OAuth WG (oauth@ietf.org
<mailto:oauth@ietf.org>)
> Subject: Re: [OAUTH-WG] Identifying OAuth 2.0 vs 1.0 requests
>
> I run into the same issue. In section "4.2. URI Query
Parameter", it would
> help if the parameter name, oauth_token, was different from OAuth 1.
>
> Marius
>
>
>
> On Thu, Jun 10, 2010 at 9:41 AM, Paul Lindner <lind...@inuus.com
<mailto:lind...@inuus.com>> wrote:
> > I am talking about the resource server. Specifically I want to
be able
> > to quickly determine if an incoming request is 1.0a vs 2.0.
And since
> > this is a library it can't make a lot of assumptions about the
> > specific environment it's running in.
> > At first I thought I would check the oauth_version parameter. It
> > turns out the 1.0a spec says that it is optional. The only
one that
> > is required for 1.0a is oauth_signature_method.
> > Sadly we're long past time to change the spec to optimize for
this use-case.
> > (It would have been better to have a parameter for oauth 2.0
that is
> > distinct from 1.0a) At the very least this message will live
on in
> > the mailing list archives -- at best we document the proper way to
> > distinguish between the two versions somewhere.
> > On Thu, Jun 10, 2010 at 8:44 AM, Eran Hammer-Lahav
> > <e...@hueniverse.com <mailto:e...@hueniverse.com>>
> > wrote:
> >>
> >> The request is very different on the resource server. On the
> >> authorization server, why would you use the same endpoint?
> >>
> >>
> >>
> >> EHL
> >>
> >>
> >>
> >> From: oauth-boun...@ietf.org <mailto:oauth-boun...@ietf.org>
[mailto:oauth-boun...@ietf.org <mailto:oauth-boun...@ietf.org>] On
> >> Behalf Of Paul Lindner
> >> Sent: Thursday, June 10, 2010 8:24 AM
> >> To: OAuth WG (oauth@ietf.org <mailto:oauth@ietf.org>)
> >> Subject: [OAUTH-WG] Identifying OAuth 2.0 vs 1.0 requests
> >>
> >>
> >>
> >> Hi,
> >>
> >>
> >>
> >> As I've been working through our oauth2 implementation I've
noticed
> >> that it's not easy to disambiguate OAuth 1.0a vs 2.0 API
calls based
> >> on the request parameters alone. Based on some
investigative at the
> >> Shindig project it appears that the only standard way to to
determine
> >> 1.0a vs 2.0 is by checking for the oauth_signature_method
> parameter. More info here:
> >>
> >>
> >>
> >> https://issues.apache.org/jira/browse/SHINDIG-1361
> >>
> >>
> >>
> >> Has anyone else considered this use case? How did you solve it?
> >>
> >>
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org <mailto:OAuth@ietf.org>
> > https://www.ietf.org/mailman/listinfo/oauth
> >
> >
------------------------------------------------------------------------
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
