...

The OAuth service provider code in Shindig needs changes as well, but they are relatively minor compared to the consumer-side changes and will not be discussed in this document.

Assumptions

Assumption: http://oauth.googlecode.com/svn/spec/core/1.0a/oauth-core-1_0a.xml^{Image Removed} is an accurate description of the new OAuth spec.

...

<Authorization url="https://www.google.com/accounts/OAuthAuthorizeToken?oauth_callback=http://oauth.gmodules.com/gadgets/oauthcallback^{Image Removed}" />

Even if the author doesn't include the callback URL in their spec, they may still add an oauth_callback parameter in javascript at runtime:

approvalUrl = approvalUrl + "&oauth_callback=http://mycustomcallback.com^{Image Removed}";

That flexibility is no longer possible with the new OAuth spec, because the callback URL is now a critical part of the security of the protocol.

...

Shindig will send a request token request to the service provider and include the additional parameter: oauth_callback=<callback URL>. For example

oauth_callback=http://oauth.gmodules.com/gadgets/oauthcallback?cs=abcd1234^{Image Removed}

The callback URL will be generated as follows:

...

The callback request will arrive at the callback servlet, looking something like this:

http://oauth.gmodules.com/gadgets/oauthcallback?cs=^{Image Removed}<callback-state>&oauth_verifier=<callback-token>

...