This is not needed. All you have to do in your extension is to override this. Basically, you are defining a new parameter that replaces other parameters - just say that. Any server supporting your extension will need to know how to handle it anyway.
EHL -----Original Message----- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Nat Sakimura Sent: Monday, July 12, 2010 7:51 PM To: oauth Subject: [OAUTH-WG] Alternative ways to pass Authorization Request Parameters As of -10, the Authorization Request Parameters are required to be passed as part of the Authorization Request URI query component. I would like to see it relaxed a bit so that they do not have to be a part of the URL but can be passed by reference. In the proposal that I have submit a while ago, I proposed to have 1) The parameters to be captured in JSON that can be obtained through a URL 2) Pass this URL to the end-user authorization endpoint through a parameter 'request_url' I have enumerated numerous merit of this approach and I believe we had an agreement that this would be useful from both security and usability perspective. However, as the current text is written, the parameters have to be sent as URI query component. In -10, it is written as: In order to direct the end-user's user-agent to the authorization server, the client constructs the request URI by adding the following parameters to the end-user authorization endpoint URI query component using the "application/x-www-form-urlencoded" format as defined by [W3C.REC-html401-19991224]: (parm defs) The client directs the end-user to the constructed URI using an HTTP redirection response, or by other means available to it via the end- user's user-agent. The authorization server MUST support the use of the HTTP "GET" method for the end-user authorization endpoint, and MAY support the use of the "POST" method as well. Instead I would propose something like: In order to obtain the end-user's authorization, the client sends the following parameters to the end-user authorization endpoint. (param defs) The client directs the end-user to the end-user authorization endpoint URI using an HTTP redirection response, or by other means available to it via the end-user's user-agent. The authorization server MUST support the use of the HTTP "GET" method for the end-user authorization endpoint, and MAY support the use of the "POST" method as well. The authorization server MUST support the parameters being passed as the query component using the "application/x-www-form-urlencoded" format as defined by [W3C.REC-html401-19991224]. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
