top | item 10437374

(no title)

makkes | 10 years ago

* Do access token expire and need to be refreshed at all? => https://tools.ietf.org/html/rfc6749#section-4.2.2

* Are scopes used? => https://tools.ietf.org/html/rfc6749#section-3.3

* Appropriate header values? => https://tools.ietf.org/html/rfc6749#section-7 as well as https://tools.ietf.org/html/rfc6750

* Can redirect URI be overrided in auth request (my personal favorite)? Sth. like https://tools.ietf.org/html/rfc6749#section-10.6 ?

discuss

LoSboccacc|10 years ago

while you're technically right, did the implementers knew and followed the spec as well? now THAT's the real problem.

most of them did, but there are quite some gaps.

then you extensions and shit to complicate matter further: http://hueniverse.com/2012/07/30/on-leaving-oauth/

I like OpenID efforts to making a OAuth 2.0 subset that works and is authoritative, but to be honest implementing OAuth dialect isn't that much of an issue.

now, having a single consistent user id across services beyond their email, that's an interesting problem to solve.

but for everything OAuth one can find out libraries in many languages.