Do you mean, "the Service Provider MUST exclude the oauth_version parameter when calculating the signature if not present in the Consumer request?"
While that should be implied by the fact that the spec labels the parameter optional, library developers still often miss it. +1 to making it more explicit. On Nov 4, 2009, at 8:36 AM, Peter Saint-Andre wrote: > > On 11/4/09 9:27 AM, Paul Walker wrote: >> A very common question: When the request has a body, is it valid to >> include the oauth_ parameters on the Query of the URI? >> >> Yes, many of the libraries have the spec wrong, especially when it >> comes to the optional oauth_version parameter (many will add it >> automatically in it's verification of a signature for example even >> though it is not required). Yes, all of these things make OAuth >> difficult and lack of gumption with the stake holders on the >> specifics >> of the standard are very frustrating at times. > > In http://tools.ietf.org/html/draft-hammer-oauth-03 the spec says: > > The "oauth_signature" parameter MUST be excluded if present. > > That might be taken to imply that all other parameters MUST/SHOULD/MAY > be included. Ideally this would be specified more explicitly. > > Peter > > -- > Peter Saint-Andre > https://stpeter.im/ > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
