How would you propose this as a generic mechanism for the token endpoint as defined in -08 (or -07)?
EHL > -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Brian Eaton > Sent: Thursday, April 22, 2010 5:45 PM > To: oauth@ietf.org > Subject: [OAUTH-WG] username password delegation profile > > A couple of comments on this profile. > > 1) Error URL > > I noticed that there was wide consensus that returning a captcha-specific > error was not going to be useful. That matches our experience with > ClientLogin [1] - very few developers properly handle captcha. And if a > developer is sophisticated enough to handle Captchas, I would rather they > just used a web browser in the first place. > > However, lots of developers do tell users to visit the URL we return in our > error response. This is often sufficient to resolve whatever problems are > happening with the user's account. So I'd like to see an optional "url" > parameter returned with the "invalid_credentials" error code. Clients should > instruct the user to visit that URL. > > 2) Is anyone actually going to implement this flow and not return a refresh > token? > > Cheers, > Brian > > [1] http://code.google.com/apis/accounts/docs/AuthForInstalledApps.html > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
