Exactly. This was fixed in the IETF draft and the Editor's Cut version. EHL
> -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Jason Davies > Sent: Sunday, July 19, 2009 9:07 AM > To: OAuth > Subject: [oauth] Re: Clarification of 9.4.1 - "PLAINTEXT" signature > method > > > Hi Eran, > > Thanks for your reply. Just in case anyone is still confused, the > plaintext signature is: encode(consumer_secret) + '&' + encode > (token_secret) (this is the first encoding step and this is what I > would call the actual signature). Then the second encoding step is > done when actually sending the OAuth parameters i.e. > oauth_signature=encode(plaintext_signature). > > Cheers, > > Jason > > On Jul 19, 4:52 pm, Eran Hammer-Lahav <[email protected]> wrote: > > That's a bug in the spec. The second encoding only happens according > to the way the parameters are delivered. The example in the spec is > correct. > > > > EHL > > > > > > > > > -----Original Message----- > > > From: [email protected] [mailto:[email protected]] On > Behalf > > > Of Jason Davies > > > Sent: Sunday, July 19, 2009 2:11 AM > > > To: OAuth > > > Subject: [oauth] Clarification of 9.4.1 - "PLAINTEXT" signature > method > > > > > Hi there, > > > > > I've been implementing OAuth support for CouchDB [1] using Tim > > > Fletcher's erlang-oauth library [2]. However, I noticed a > discrepancy > > > in his implementation compared to a Java implementation [3] and > > > Google's OAuth.js, in that it was URL-encoding the PLAINTEXT > signature > > > *twice*. Looking at the spec, it does seem a bit ambiguous due to > the > > > sentence: "The result MUST be encoded again". However, the example > in > > > appendix A.2 clearly shows the signature only being URL-encoded > once. > > > > > Can someone authoritative clarify this? I'm pretty sure this > should > > > read, "the result is URL-encoded per Parameter Encoding" or similar > to > > > make it clear that the plaintext signature should only be URL- > encoded > > > once. > > > > > To add to the confusion, I believe the PHP library [4] also encodes > > > the PLAINTEXT signature twice, this really should be fixed. This > is > > > hinted in this thread: > > > >http://groups.google.com/group/oauth/browse_thread/thread/bd2e6d9feadf > d > > > ea7/ab5fe9e473124316?lnk=gst&q=plaintext#ab5fe9e473124316 > > > > > There is also another message on this group about this, but > > > unfortunately with no reply: > > > >http://groups.google.com/group/oauth/browse_thread/thread/59e57bf6966b > 7 > > > a84/e273badfb7f5ab62?lnk=gst&q=plaintext#e273badfb7f5ab62 > > > > > Thanks for your time, > > > > > Jason > > > > > [1]:http://github.com/jasondavies/couchdb/tree/oauth > > > [2]:http://github.com/tim/erlang-oauth/tree/master > > > [3]:http://oauth.googlecode.com/svn/code/java/core/ > > > [4]:http://oauth.googlecode.com/svn/code/php/ > > > > > -- > > >www.jasondavies.com > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
