Bug #68255 for OAuth-Lite: callback confirm is not always needed

RT for rt.cpan.org

This queue is for tickets about the OAuth-Lite CPAN distribution.

Report information

The Basics

Id:	68255
Status:	open
Priority:	0/
Queue:	OAuth-Lite

People

Owner:	Nobody in particular
Requestors:	REDICAPS [...] cpan.org
Cc:
AdminCc:

Bug Information

Severity:	(no value)
Broken in:	(no value)
Fixed in:	(no value)

History Show all quoted text

Mon May 16 23:42:16 2011 REDICAPS [...] cpan.org - Ticket created

Subject:

callback confirm is not always needed

When I want to develop a command line tools for some OAuth based site, I don't need a callback, I would not use callback_url at all. Under this situation, I think we can skip the check for callback_confirm in the code?

Mon May 30 04:46:52 2011 lyokato [...] cpan.org - Correspondence added

Even if you don't set callback_url, oauth_callback='oob' is set internally. And server must set oauth_callback_confirmed. http://tools.ietf.org/html/rfc5849 This rule is specified after OAuth Session Fixation Attack problem. And protocol version is set as OAuth1.0a Servers must support 1.0a rather than the older version. So I don't think I need support no-check version.

Mon May 30 04:46:52 2011 The RT System itself - Status changed from 'new' to 'open'