Brian,
A couple of quick comments on draft-eaton-oauth-bodyhash before it goes final:
1.
RFC 4648 "The Base16, Base32, and Base64 Data Encodings" is a better reference
for base64 than RFC 2045 "MIME Part 1: Format of Internet Message Bodies".
2.
§4.1.1, 2nd dot point has an incomplete sentence:
"The presence or absence"
3.
The %-escaping in the examples looks wrong.
Authorization: OAuth realm="http%3A%2F%2Fwww.example.com",
oauth_body_hash="2jmj7l5rSw0yVb/vlWAYkK/YBwk%3D",
... oauth_signature="08bUFF%2Fjmp59mWB7cSgCYBUpJ0U%3D"
In oauth_body_hash "=" is escaped as %3D, but "/" is not escaped.
In oauth_signature both "=" and "/" are escaped.
I hope the answer is that base64 values don't need any %-escaping when used as
HTTP header parameters. OAuth-specific escaping rules may differ though.
James Manger
[email protected]
Identity and security team — Chief Technology Office — Telstra
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of Brian
Eaton
Sent: Friday, 3 April 2009 12:11 PM
To: [email protected]; [email protected]
Subject: [oauth] Re: [opensocial-and-gadgets-spec] Spec clarification - Refer
to oauth_body_hash signing in JSON-RPC spec
[+oauth mailing list]
Seems like the right thing to do.
I'm going to declare
http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/8/draft-eaton-oauth-bodyhash.html
final tomorrow.
Changes since the last revision:
- omit oauth_body_hash on all request token and access token requests;
this improves compatibility with various strict OAuth SPs.
- include oauth_body_hash everywhere else.
- lots of clean up and general editorial improvements from Eran.
Thanks to everyone who contributed feedback on this spec.
On Thu, Apr 2, 2009 at 2:27 PM, Louis Ryan <[email protected]> wrote:
> Hi,
>
> I'd like to refer to the oauth_body_hash signing proposal as a SHOULD in the
> JSON_RPC spec in replacement for the ad-hoc body signing mechanism mentioned
> in section 8. See
> http://opensocial-resources.googlecode.com/svn/spec/draft/RPC-Protocol.xml#rfc.section.8
>
> Any objections?
>
> -Louis
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [email protected]
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
