The OAuth service provider code in Shindig needs changes as well, but they are relatively minor compared to the consumer-side changes and will not be discussed in this document.
Assumption: http://oauth.googlecode.com/svn/spec/core/1.0a/oauth-core-1_0a.xmlImage Removed is an accurate description of the new OAuth spec.
<Authorization url="https://www.google.com/accounts/OAuthAuthorizeToken?oauth_callback=http://oauth.gmodules.com/gadgets/oauthcallbackImage Removed" />
approvalUrl = approvalUrl + "&oauth_callback=http://mycustomcallback.comImage Removed";
That flexibility is no longer possible with the new OAuth spec, because the callback URL is now a critical part of the security of the protocol.
Shindig will send a request token request to the service provider and include the additional parameter: oauth_callback=<callback URL>. For example
The callback URL will be generated as follows:
The callback request will arrive at the callback servlet, looking something like this: