The consumer key, consumer secret and nonce should be unguessable. A
popular choice is bits from a cryptographically strong random number
generator, encoded as letters and numerals. The nonce should not be a
predictable function of other data.
Don't add salt to the signature algorithm. That won't conform to
OAuth. (You might consider the consumer secret to be salt.)
On Jul 19, 5:51 pm, logix812 <aventure...@gmail.com> wrote:
> Now, the $signature could be generated a different way, so long as it
> was hashed under the provided oauth_signature_method.
> eg (adding a shared salt that both the consumer and the service
> provider know about):
>
> $signature = hash_hmac('sha1', $consumer_key.$shared_salt,
> $consumer_secret);
>
> Now, in both cases, when the Service Provider receives the request it
> can look at the signature, and perform it's own hash, under the same
> rules that the consumer generated their hash. Assuming service
> providers hash is equal to the signature, the Service Provider knows
> the request is signed, and can continue. This is the reason the
> consumer does not want to let anyone know what it's secret is. The
> $consumer_secret is effectively the password.
>
> Do I have the right idea for oauth_signature/$signature?
>
> oauth_nonce / $nonce, aside from marking request, so they cannot be
> used again, this is another place where the request can effective be
> signed. so long as both the service provider know how it was created,
> so that it can validate it. One possible way to create this value
> would then be:
>
> $nonce = hash('md5', $time.$consumer_secret.$consumer_key);
>
> Assuming the service provider knows the Consumer is using $time as
> part of the hash(which it will be receiving in oauth_timestamp), it
> should always generate a unique value.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to oauth@googlegroups.com
To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
