On Aug 3, 2010, at 8:32 PM, Brian Eaton wrote: Please provide an example of code that you would put to thirdparty.com<http://thirdparty.com> and that would not break the use cases.
Take a look at the facebook APIs, in particular the cross-domain communication schemes: http://wiki.developers.facebook.com/index.php/Cross_Domain_Communication_Channel Please also provide an example of response from serviceprovider.com with an access token in it (wherever it is - as I understand you want to put it to the Location header, but probably I'm wrong). HTTP/1.1 302 Moved Temporarily Location: http://www.thirdparty.com/rpc_relay.html#access_token=12345 rpc_relay.html is highly cached in the browser, so instead of incurring hundreds of ms to fetch a file, the data lands in the third-party.com javascript in under a millisecond. So if the browser works correctly (instead of what the python library does, then thirdparty.com<http://thirdparty.com> sees only "GET rpc_relay.html", while the javascript also gets the "access_token=12345". What I'm not getting is why this matters. Is this supposed to be about security? It can't be any good at that, because the javascript is coming from thirdparty.com<http://thirdparty.com>. If the good people at thirdparty.com<http://thirdparty.com> want to know the access token, they can make their javascript send it to them. So what is the purpose of this funky use of HTTP? Is the access token a secret? From who? I thought to look in the Security Considerations section, but that is still TBD, which can be considered worrying at this stage. What assumptions can be made security-wise of each participant really has to be spelled out better.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
