Re: [OAUTH-WG] Returning HTTP 200 on Error for JSONP

See: http://support.microsoft.com/kb/294807 On 19/08/2010, at 1:55 AM, Brian Eaton wrote: > On Tue, Aug 17, 2010 at 11:36 PM, Mark Nottingham wrote: >>> The other reason people get funny with these status codes has to do >>> with browser behavior. Sometimes browsers react in funny ways to >>

Re: [OAUTH-WG] Returning HTTP 200 on Error for JSONP

For ie silliness, sop is to include a lot of text in the 5xx so it'll show your message instead of its own. I've done lots of www-authenticate with 200's, always heard worries from web engineers, never had a bug report. Ymmv. On Wednesday, August 18, 2010, Brian Eaton wrote: > On Tue, Aug 17, 2

Re: [OAUTH-WG] Returning HTTP 200 on Error for JSONP

On Tue, Aug 17, 2010 at 11:36 PM, Mark Nottingham wrote: >> The other reason people get funny with these status codes has to do >> with browser behavior.  Sometimes browsers react in funny ways to >> funny HTTP status codes.  To be on the safe side, developers tend to >> return an HTTP 200 with wh

Re: [OAUTH-WG] survey: token revocation design options

Hi Torsten, ++2. No care about token formats or URL length problem. -1: all options bring some problems along (as you already indicated). Additionally, an overloading of HTTP DELETE (as Igor mentioned) is not an option from my point of view. Every overloading would be deployment specific (or

Re: [OAUTH-WG] more than one assertion?

The assertion flow has been "upgraded" from an edge case to the way new access grants are defined. It's part of the extensibility model, and as such, is going to stay in the core spec. EHL -Original Message- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Brian

Re: [OAUTH-WG] Returning HTTP 200 on Error for JSONP

From: Luke Shepard [mailto:lshep...@facebook.com] Sent: Wednesday, August 18, 2010 12:12 AM To: Eran Hammer-Lahav Cc: Paul Tarjan; OAuth WG Subject: Re: [OAUTH-WG] Returning HTTP 200 on Error for JSONP For example, how is the client going to get the original HTTP status code? Why does the clien

Re: [OAUTH-WG] Returning HTTP 200 on Error for JSONP

For example, how is the client going to get the original HTTP status code? Why does the client need the HTTP status code? It seems like the real data is the OAuth error code (i.e., "invalid request"). The HTTP status code is just gravy so that we're consistent with HTTP. This is not a legal doc

[OAUTH-WG] Quick update

I plan to start working on the next core draft next week and publish it in early September. Please submit all change requests and feedback to the list by 8/27 to be discussed, considered, and included. Changes received after that time will be queued for the next draft. As for authoring or editi

Re: [OAUTH-WG] Returning HTTP 200 on Error for JSONP

I disagree. The sole purpose of the specification is to achieve interop. By creating this exception for JSONP calls, you are breaking interop with non JSONP clients. For this to work, you need to specify exactly when this exception happens, and how to deliver the HTTP status code to the client.