Per section 5: "Each OAuth Protocol Parameters MUST NOT appear more than once". So any compliant library MUST issue an error is any oauth_* parameter is duplicated. Any other parameter is allowed to repeat and such examples are included in the sorting text of section 9.
EHL > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of JR Conlin > Sent: Friday, February 27, 2009 7:30 PM > To: [email protected] > Subject: [oauth] Re: Duplicate Parameters > > > Zhihong wrote: > > What's OAuth's rule on duplicate parameters? Any parameter can appear > > in query string, Authorization header or post body. What happens if > > the same parameter (say oauth_version) appears in more than one > place? > > > if I remember correctly, non oauth parameters are sorted by key value, > then value, so > http://example.com?a=1&foo=bar&foo=gorp&a=1 > would be signed as > http://example.com?a=1&a=1&foo=bar&foo=gorp > > oauth_* parameters should not be duplicated, but if they were, I'd > imagine that most libraries would sort them according to similar rules. > The obvious reason that the oauth_* parameters shouldn't be duplicated > is that there's no telling which token or secret would be used. > > > I tried to find some guidance in the spec with no avail. Our current > > implementation allows duplicate parameters as long as signature > counts > > for the duplication (the parameters is repeated in base string). > > However, it's still a mystery which one takes precedence if they have > > different values. In my opinion, this should be cleared banned in the > > spec. > > > > > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
