The consumer key, consumer secret and nonce should be unguessable. A popular choice is bits from a cryptographically strong random number generator, encoded as letters and numerals. The nonce should not be a predictable function of other data.
Don't add salt to the signature algorithm. That won't conform to OAuth. (You might consider the consumer secret to be salt.) On Jul 19, 5:51 pm, logix812 <aventure...@gmail.com> wrote: > Now, the $signature could be generated a different way, so long as it > was hashed under the provided oauth_signature_method. > eg (adding a shared salt that both the consumer and the service > provider know about): > > $signature = hash_hmac('sha1', $consumer_key.$shared_salt, > $consumer_secret); > > Now, in both cases, when the Service Provider receives the request it > can look at the signature, and perform it's own hash, under the same > rules that the consumer generated their hash. Assuming service > providers hash is equal to the signature, the Service Provider knows > the request is signed, and can continue. This is the reason the > consumer does not want to let anyone know what it's secret is. The > $consumer_secret is effectively the password. > > Do I have the right idea for oauth_signature/$signature? > > oauth_nonce / $nonce, aside from marking request, so they cannot be > used again, this is another place where the request can effective be > signed. so long as both the service provider know how it was created, > so that it can validate it. One possible way to create this value > would then be: > > $nonce = hash('md5', $time.$consumer_secret.$consumer_key); > > Assuming the service provider knows the Consumer is using $time as > part of the hash(which it will be receiving in oauth_timestamp), it > should always generate a unique value. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---