The feasibility depends on your HTTP software. Some HTTP client libraries are configurable to not follow redirects, which makes it straightforward to sign each request. Some versions of curl don't follow redirects unless -L or --location appears in the command line.
It would be nice if OAuth client libraries automatically handled redirects and signed each request. On Nov 24, 10:14 am, "Joseph Smarr" <[EMAIL PROTECTED]> wrote: > ... if someone is making an OAuth-signed API request to one of > your URLs, and you return a 302 (e.g. because you changed your URL > structure), the signature will probably fail to match, because the consumer > will use the pre-redirected URL and the provider will use the > post-redirected URL. > > ... > > It's hard to see how to avoid this problem, other than a) not to ever change > URL structure of OAuth provider URLs, or b) have consumers watch for 302s > and recompute their signature and re-send the request if they see one. In > general, both seem infeasible in practice, so I think at best we should > document this as a "known gotcha" to look for when debugging code. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
