It should be escaped in both places.
This because in step 3 you should be escaping the "&"'s of step 1.
So, when you have the parameters 'a' and 'b', both with the value '%'.
This will become:
Step 1:
a=%25&b=%25
Step 3:
Method = GET
URL = http://example.com/
Parameters = a=%25&b=%25
Base string = GET&http%3A%2F%2Fexample.com%2F&a%3D%2525%26b%3D%2525
On the page http://wiki.oauth.net/TestCases are some more examples.
- Marc
On 23 jan 2009, at 00:31, Pelle Braendgaard wrote:
>
> You see this is where the complexity comes in :-)
>
> Before which of the concatenations should the encoding be done? There
> is the concatenation of the parameters with & in step 1 as well as the
> concatenation of the 3 parts of the SBS.
>
> So before we had it encoded as part of both step 1 and step 3. My
> current reading is that it should be done only as part of step 3. As
> the "&"'s from the parameters are escaped in the SBS.
>
> P
>
> On Thu, Jan 22, 2009 at 2:57 PM, Marc Worrell <[email protected]> wrote:
>>
>> In fact it is all very simple :-) (famous last words)
>>
>> In general: encode before you concatenate with '&'.
>>
>> On 22 jan 2009, at 20:12, Pelle Braendgaard wrote:
>>> 1. Normalize the request parameters, which means only ordering the
>>> parameters and then separating them with "&"'s ( 9.1.1)
>>
>> The request parameters are encoded before the concatenation.
>> (Otherwise you could not have a '&' in any parameter.)
>>
>>> 2. Normalizing the URL (9.1.2)
>>> 3. Concatenation of the encoded versions of (the http request
>>> method,
>>> the normalized url (see step 2) and the normalized request
>>> parameters
>>> (see step 1.) (9.1.3)
>>>
>>> The Ruby implementation encodes each parameter in step 1 and then
>>> re-encodes them in step 3.
>>
>> That is correct behaviour. The result in step 3 is a concatenation
>> of
>> 3 parts, all parts are encoded before concatenating.
>>
>>> I have corrected this in git so far. But
>>> would like to just check that my analysis is correct, so we can
>>> close
>>> this chapter once and for all.
>>
>> Hope this is now closed :-)
>>
>> - Marc
>>
>>>
>>
>
>
>
> --
> http://agree2.com - Reach Agreement!
> http://extraeagle.com - Solutions for the electronic Extra Legal world
> http://stakeventures.com - Bootstrapping blog
>
> >
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [email protected]
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
