On Apr 29, 6:26 pm, Andrew Arnott <[email protected]> wrote:
> I'm curious about the way I see Google has implemented the OAuth 1.0
> protocol, which is reasonable, although the spec itself seems to disagree
> with it.
>
> From the spec <http://oauth.net/core/1.0/#anchor14>, snipped here:
>
> The request parameters are collected, sorted and concatenated into a
> normalized string:
>
> - Parameters in the OAuth HTTP Authorization header (Authorization Header
> ) <http://oauth.net/core/1.0/#auth_header_authorization> excluding the
> realm parameter.
> - Parameters in the HTTP POST request body (with a content-type of
> application/x-www-form-urlencoded).
> - HTTP GET parameters added to the URLs in the query part (as defined by
> [RFC3986] (Berners-Lee, T., “Uniform Resource Identifiers (URI): Generic
> Syntax,” .) <http://oauth.net/core/1.0/#RFC3986> section 3).
>
> Note that the query part of the URL is only supposed to be included in the
> construction of the signature base string if the request is a GET. If the
> request is a POST, that happens to include a query part in the URL, there is
> no mention of that as the source of parameters to sign. My take on that
> then is that the URI query part of a POST request is not signed.
>
> Is the spec wrong? (it seems insecure) Google signs this part although the
> spec seems to suggest against it.
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - Voltaire
Glad you brought it up - I am running into the same. Given the fact
that in the Java world, ServletRequest does not differentiate between
the two types of parameters. The call to getParameterMap() returns a
list of key, value[] pairs where key = param name and value[] is the
list of values. I am checking the content type, but frankly I do not
see much help from Java Servlet API to differentiate between POST body
parameters vs. the ones in the GET query string.
-cheers,
Manish
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [email protected]
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
