Wednesday, January 5, 2011

What the oauth_verifier is..

To make sure that the resource owner granting access is the same
resource owner returning back to the client to complete the process,
the server MUST generate a verification code: an unguessable value
passed to the client via the resource owner and REQUIRED to complete
the process. The server constructs the request URI by adding the
following REQUIRED parameters to the callback URI query component:

The temporary credentials identifier received from the client.

The verification code.

If the callback URI already includes a query component, the server
MUST append the OAuth parameters to the end of the existing query.

For example, the server redirects the resource owner's user-agent to
make the following HTTP request:

GET /cb?x=1&oauth_token=hdk48Djdsa&oauth_verifier=473f82d3 HTTP/1.1

If the client did not provide a callback URI, the server SHOULD
display the value of the verification code, and instruct the resource
owner to manually inform the client that authorization is completed.
If the server knows a client to be running on a limited device, it
SHOULD ensure that the verifier value is suitable for manual entry.

No comments:

Post a Comment