[
https://issues.apache.org/jira/browse/CXF-5569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13955267#comment-13955267
]
Jason Klapste commented on CXF-5569:
------------------------------------
Section 9.1.1 (here: http://oauth.net/core/1.0a/#signing_process) talks about
not only POST as you mentioned, but also URL parameters-- which is the behavior
I was seeing (URL parameters being ignored for signature generation).
It seems like the spec requires *all* parameters to be included as part of the
signature generation, not just the OAuth related ones as it seems CXF is doing.
While your solution will certainly work as I can set IgnoreUnknownParameters to
false and hence all will be included in the sig generation, it seems as though
CXF is at a crossroads between maintain backwards compatibility vs following
the spec :(
> OAuth AbstractAuthFilter and query parameters used for signing
> --------------------------------------------------------------
>
> Key: CXF-5569
> URL: https://issues.apache.org/jira/browse/CXF-5569
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS Security
> Affects Versions: 2.7.10
> Reporter: Jason Klapste
> Assignee: Sergey Beryozkin
> Priority: Minor
> Fix For: 3.0.0-milestone2, 2.7.11
>
>
> In the AbstractAuthFilter the query (or body) parameters used for signing are
> only those included in ALLOWED_OAUTH_PARAMETERS.
> But if I'm reading the RFC correctly, it looks are though ALL parameters
> should be considered for signature generation.
> To support both backwards compatibility, can I suggest exposing the
> ALLOWED_OAUTH_PARAMETERS to subclasses (either directly or via
> getter/setters) along with a flag that can be set to automatically include
> any and all parameters?
--
This message was sent by Atlassian JIRA
(v6.2#6252)
