Once we clarify sorting, let's add some test cases to http://wiki.oauth.net/TestCases
Sorting was ably discussed in http://groups.google.com/group/oauth/browse_thread/thread/7c698004be0d536/ One must percent encode the parameter names and values and then sort their encoded form. This is different from the order of the data before percent encoding. For example, {} comes before AB, because the percent encoding of {} is %7B%7D, which comes before AB (the percent encoding of AB). The Java library encodes characters to UTF-8, and percent-encodes before sorting. At the end it sorts by Unicode, but don't be fooled: it's not sorting the original data. Forbidding repeated parameter names would be a significant change from OAuth 1.0. It's too late for such a change, I think. On Mar 11, 7:50 am, Zhihong <[email protected]> wrote: > Regarding character encoding, current spec sounds good but it's really > hard to implement. The fact is that all the OAuth libraries we use are > non compliant. > Java library sorts on UTF-16BE. The PHP one is messy, it probably > sorts on the octet stream of whatever encoding defined by setlocale. > > The sorting is a tough issue no matter what you do. If you sort on > octet stream, you have to bypass most web frameworks to get it. If you > sort on a specific encoding, it's not readily convertible on some > platforms. Sometimes, OAuth just doesn't know what encoding it is. > > OAuth should stay out the multi-byte collation mess. We achieve this > by adding following restrictions to OAuth spec, > > 1. Parameter name must be ASCII. > 2. Duplicate parameters are not allowed. > > Even without OAuth, these 2 restrictions are good practices for any > web protocols. Our product is for Chinese market, I haven't seen > anyone use non-ASCII names in parameter names. > > So I think these restrictions should be added in OAuth, at least as > recommendations. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
