put transport security section under configuration

songkick · Nov 11, 2011 · 1fa479e · 1fa479e
1 parent 3eb239e
commit 1fa479e
Showing 1 changed file with 25 additions and 30 deletions.
diff --git a/README.rdoc b/README.rdoc
@@ -47,26 +47,41 @@ need to provide four things:
 
 === Installation and Configuration
 
-<tt>OAuth2::Provider</tt> requires very little configuration. The only thing it
-needs to know about your app is its name, which is used in the headers for some
-authentication errors.
-
+==== Gem / Library
 If you are using bundler, put this in your Gemfile:
 
   gem 'oauth2-provider', :require => 'oauth2/provider',
     :git => 'git://github.com/songkick/oauth2-provider'
 
-And declare your app's name somewhere (for example in rails, in <tt>application.rb</tt> or an initializer)
+If you are not using Bundler, require the library somewhere:
 
-  OAuth2::Provider.realm = 'My OAuth app'
+  require 'oauth2/provider'
 
-If you are not using Bundler, just put these two lines somewhere appropriate:
+====  App name 
+Declare your app's name somewhere (for example in rails, in <tt>application.rb</tt> or an initializer):
 
-  require 'oauth2/provider'
   OAuth2::Provider.realm = 'My OAuth app'
 
-You may also need to configure assertion handlers if your application supports
-third-party access credentials. See 'Using Assertions' below.
+==== Transport security
+Your application should ensure that any endpoint that receives or returns OAuth
+data is only accessible over a secure transport such as the <tt>https:</tt>
+protocol. <tt>OAuth2::Provider</tt> can enforces this to make it easier to keep
+your users' data secure.
+
+You can set <tt>OAuth2::Provider.enforce_ssl = true</tt> in the same place that
+you declared your app name above. This will result in the following behavior:
+
+* The <tt>OAuth2::Provider.parse</tt> method will produce error responses and
+  will not process the incoming request unless the request was made using the
+  <tt>https:</tt> protocol.
+* An access token constructed using <tt>OAuth2::Provider.access_token</tt> will
+  return <tt>false</tt> for <tt>#valid?</tt> unless the request was made using the
+  <tt>https:</tt> protocol.
+* Any access token received over an insecure connection is immediately destroyed
+  to prevent eavesdroppers getting access to the user's resources. A client
+  making an insecure request will have to send the user through the authorization
+  process again to get a new token.
+
 
 === Schema
 
@@ -329,26 +344,6 @@ A token represents the fact that a single owner gave a single client a set of
 permissions.
 
 
-=== Transport security
-
-Your application should ensure that any endpoint that receives or returns OAuth
-data is only accessible over a secure transport such as the <tt>https:</tt>
-protocol. <tt>OAuth2::Provider</tt> can enforces this to make it easier to keep
-your users' data secure. If you want to enable these behaviours, set
-<tt>OAuth2::Provider.enforce_ssl = true</tt>.
-
-* The <tt>OAuth2::Provider.parse</tt> method will produce error responses and
-  will not process the incoming request unless the request was made using the
-  <tt>https:</tt> protocol.
-* An access token constructed using <tt>OAuth2::Provider.access_token</tt> will
-  return <tt>false</tt> for <tt>#valid?</tt> unless the request was made using the
-  <tt>https:</tt> protocol.
-* Any access token received over an insecure connection is immediately destroyed
-  to prevent eavesdroppers getting access to the user's resources. A client
-  making an insecure request will have to send the user through the authorization
-  process again to get a new token.
-
-
 == License
 
 Copyright (c) 2010-2011 Songkick.com