Hi there, I would like to suggest that you show an example of the "double- encoding" of the request parameters, which I've seen some discussion about on other forums. I recently had to implement OAuth signature verification for a client (I am unable to use any of the available libraries due to the platform I'm working on), and could not get the hash to match the hash from the verified signature.
It was not until I received a copy of the client's base signing string that I realized that I had not encoded the parameters to specification. Although the specification does say, "Each item is encoded (Parameter Encoding) and separated by an ‘&’ character", since the opensocial parameters I received were already encoded in the request I assumed that this met the specification. I think that it may be useful to extend the example messages to include a request parameter that is already encoded, such as an email address. When you demonstrate the encoding of the parameters, it will be very apparent that the parameters are encoded twice. Extending the standard example: http://photos.example.net/photos?file=vacation.jpg&size=original&user=fred%40xyz.com Would become: GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal%26user%3Dfred%2540xyz.com This clearly demonstrates the double-encoding, and removes any ambiguity in the specification. I hope that you find this useful feedback. Regards, Alan --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
