>> I believe that an OAuth 1.0a style signature
How about we start with exactly an OAuth 1.0a style signature? It may be
tricky, but there are still client libraries and some web-services that
handle them.
Like Tony, I also have not heard requests for a new signature approach, but
one of the reas
Google wanted to re-state our long standing opinions on HTTP signature
mechanisms in the OAuth2 spec. The short version is that standards for
signing parts of an HTTP request have value in use-cases other than OAuth2,
and thus they should be defined outside the spec, and just referenced from
the s
ut which are much
easier on OAuth-WRAP and OAuth2.
Eric Sachs
Product Manager, Google
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
Here is the note I sent a few weeks ago where we also noted the potential
session fixation attack. However as we noted, we are still willing to start
with this profile and later work on where the user has to enter a code into
the device.
-- Forwarded message --
From: Eric Sachs
Google has a similar requirement to move these types of devices to
OAuth/WRAP and away from our older "ClientLogin" protocol where the user is
prompted for their username/password. The proposed profile looks fine, but
we are a few weeks from being able to do specific work on it, so we may have
mor
Here is one of the original writeups of OpenSocial + 2LO with a scanned
napkin drawing :-)
http://sites.google.com/site/oauthgoog/2leggedoauth/2opensocialrestapi
On Tue, Mar 16, 2010 at 11:12 AM, David Recordon wrote:
> Kevin Marks has been bugging me for awhile to understand how
> OpenSocial ma
