You are correct. Just looked at the code again and it does seem to sort the parameters correctly. I missed the magic in URLEncoder.
I will find out why my testcase fails and get back to you if I find any issues. Zhihong On Mar 15, 4:06 pm, [email protected] wrote: > Once we clarify sorting, let's add some test cases > tohttp://wiki.oauth.net/TestCases > > Sorting was ably discussed > inhttp://groups.google.com/group/oauth/browse_thread/thread/7c698004be0... > One must percent encode the parameter names and values and then sort > their encoded form. This is different from the order of the data > before percent encoding. For example, {} comes before AB, because the > percent encoding of {} is %7B%7D, which comes before AB (the percent > encoding of AB). > > The Java library encodes characters to UTF-8, and percent-encodes > before sorting. At the end it sorts by Unicode, but don't be fooled: > it's not sorting the original data. > > Forbidding repeated parameter names would be a significant change from > OAuth 1.0. It's too late for such a change, I think. > > On Mar 11, 7:50 am, Zhihong <[email protected]> wrote: > > > Regarding character encoding, current spec sounds good but it's really > > hard to implement. The fact is that all the OAuth libraries we use are > > non compliant. > > Java library sorts on UTF-16BE. The PHP one is messy, it probably > > sorts on the octet stream of whatever encoding defined by setlocale. > > > The sorting is a tough issue no matter what you do. If you sort on > > octet stream, you have to bypass most web frameworks to get it. If you > > sort on a specific encoding, it's not readily convertible on some > > platforms. Sometimes, OAuth just doesn't know what encoding it is. > > > OAuth should stay out the multi-byte collation mess. We achieve this > > by adding following restrictions to OAuth spec, > > > 1. Parameter name must be ASCII. > > 2. Duplicate parameters are not allowed. > > > Even without OAuth, these 2 restrictions are good practices for any > > web protocols. Our product is for Chinese market, I haven't seen > > anyone use non-ASCII names in parameter names. > > > So I think these restrictions should be added in OAuth, at least as > > recommendations. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
