Thanks for the clarification. All the libraries we use (Java, PHP, Javascript) don't check for duplicates and all the implementations I tried simply give signature errors. I think OAuth should have stronger language and specific error code for duplicate OAuth parameters.
I spent almost an hour to realize my signature error was caused by duplicate parameters. Zhihong On Mar 1, 12:41 am, Eran Hammer-Lahav <[email protected]> wrote: > Per section 5: "Each OAuth Protocol Parameters MUST NOT appear more than > once". So any compliant library MUST issue an error is any oauth_* parameter > is duplicated. Any other parameter is allowed to repeat and such examples are > included in the sorting text of section 9. > > EHL > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] On Behalf > > Of JR Conlin > > Sent: Friday, February 27, 2009 7:30 PM > > To: [email protected] > > Subject: [oauth] Re: Duplicate Parameters > > > Zhihong wrote: > > > What's OAuth's rule on duplicate parameters? Any parameter can appear > > > in query string, Authorization header or post body. What happens if > > > the same parameter (say oauth_version) appears in more than one > > place? > > > if I remember correctly, non oauth parameters are sorted by key value, > > then value, so > >http://example.com?a=1&foo=bar&foo=gorp&a=1 > > would be signed as > >http://example.com?a=1&a=1&foo=bar&foo=gorp > > > oauth_* parameters should not be duplicated, but if they were, I'd > > imagine that most libraries would sort them according to similar rules. > > The obvious reason that the oauth_* parameters shouldn't be duplicated > > is that there's no telling which token or secret would be used. > > > > I tried to find some guidance in the spec with no avail. Our current > > > implementation allows duplicate parameters as long as signature > > counts > > > for the duplication (the parameters is repeated in base string). > > > However, it's still a mystery which one takes precedence if they have > > > different values. In my opinion, this should be cleared banned in the > > > spec. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
