0

wrong return url when asking for auth_token

Hi,
when I using the OAuth and set the callback_url = x-opensocial-demo-app.

After get the user confirm, the browser will return a url like this:
http://x-opensocial-demo-app:/?oauth_token...verifier=cpuwtq

not as what I wanted as:
x-opensocial-demo-app://?oauth_token=kjgt3hn&oauth_verifier=cpuwtq

Why Yahoo will added the http:// automatically ? I think Yahoo should not add some additional string by it self, because it's not what developer want.

I am developing a android application, I need the "x-opensocial-demo-app://" scheme to trigger my application. But http://x-opensocial-demo-app:/ will trigger the browser.
When I connect to iGoogle, there is no such problem.

Thanks

by
5 Replies
  • Hi Yafan,

    Sorry, our current security policy doesn't allow us to redirect
    user to non-HTTP/HTTPS URL. We will talk with our security team
    to see if this limit can be lifted.

    Thanks,
    Yu Wang
    Yahoo! Membership Team
    0
  • Actually according to OAuth spec
    http://oauth.net/core/1.0a/#auth_step1
    the oauth_callback should be either an absolute URL or "oob". Your
    oauth_callback is not a valid one though service providers can
    intepret this differently.
    0
  • Hi, Omiga

    I think the url
    x-opensocial-demo-app://?oauth_token=kjgt3hn&oauth_verifier=cpuwtq
    should also be a valid absolute URL.

    According to the definition of URL (RFC 1738 , http://www.ietf.org/rfc/rfc1738.txt) , the scheme part represent the protocol that the application used.
    If Yahoo limit the scheme part to http/https, that will limit the type of application using YAP.
    I think iGoogle's behavior is right.
    Yahoo should not only just support web applications using http protoco, it should also support others, such as mobile terminal application using it's own scheme.

    Regards
    Yafan


    [i]3. Specific Schemes

    The mapping for some existing standard and experimental protocols is
    outlined in the BNF syntax definition. Notes on particular protocols
    follow. The schemes covered are:

    ftp File Transfer protocol
    http Hypertext Transfer Protocol
    gopher The Gopher protocol
    mailto Electronic mail address
    news USENET news
    nntp USENET news using NNTP access
    telnet Reference to interactive sessions
    wais Wide Area Information Servers
    file Host-specific file names
    prospero Prospero Directory Service

    Other schemes may be specified by future specifications. Section 4 of
    this document describes how new schemes may be registered, and lists
    some scheme names that are under development.
    [/i]


    QUOTE (omiga @ Jun 15 2010, 10:58 AM) <{POST_SNAPBACK}>
    Actually according to OAuth spec
    http://oauth.net/core/1.0a/#auth_step1
    the oauth_callback should be either an absolute URL or "oob". Your
    oauth_callback is not a valid one though service providers can
    intepret this differently.
    0
  • What is the value in your oauth_callback parameter?
    If it is "x-opensocial-demo-app", then that's not a valid
    absolute URL. Otherwise it can be.

    Currently we limit the scheme of callback URL to be HTTP/HTTPS.
    It is a security policy requirement and I'll check with
    our security team to see if it can be lifted.

    Thanks,
    Yu Wang
    0
  • Hi, Yu

    You can think that I have the url like this:
    x-opensocial-demo-app://,,,,,,

    the x-opensocial-demo-app:// part is the scheme part, just like http://, it represent the protocol that I used to parse the url.
    So I expect a returned url should be :
    x-opensocial-demo-app://?oauth_token=kjgt3hn&oauth_verifier=cpuwtq

    I think what I do and what I need is compatible with the definition of url.
    Yahoo should not add the "http://" part automatically, which is not compatible with OAuth spec.

    Best Regards
    Yafan

    QUOTE (omiga @ Jun 17 2010, 09:59 AM) <{POST_SNAPBACK}>
    What is the value in your oauth_callback parameter?
    If it is "x-opensocial-demo-app", then that's not a valid
    absolute URL. Otherwise it can be.

    Currently we limit the scheme of callback URL to be HTTP/HTTPS.
    It is a security policy requirement and I'll check with
    our security team to see if it can be lifted.

    Thanks,
    Yu Wang
    0

Recent Posts

in OAuth General Discussion YDN SDKs