Zhihong wrote: > What's OAuth's rule on duplicate parameters? Any parameter can appear > in query string, Authorization header or post body. What happens if > the same parameter (say oauth_version) appears in more than one place? > if I remember correctly, non oauth parameters are sorted by key value, then value, so http://example.com?a=1&foo=bar&foo=gorp&a=1 would be signed as http://example.com?a=1&a=1&foo=bar&foo=gorp
oauth_* parameters should not be duplicated, but if they were, I'd imagine that most libraries would sort them according to similar rules. The obvious reason that the oauth_* parameters shouldn't be duplicated is that there's no telling which token or secret would be used. > I tried to find some guidance in the spec with no avail. Our current > implementation allows duplicate parameters as long as signature counts > for the duplication (the parameters is repeated in base string). > However, it's still a mystery which one takes precedence if they have > different values. In my opinion, this should be cleared banned in the > spec. > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
