[oauth] Re: build signature base string

Peter Saint-Andre Wed, 04 Nov 2009 08:54:09 -0800

On 11/4/09 9:46 AM, Paul Walker wrote:
> Do you mean, "the Service Provider MUST exclude the oauth_version  
> parameter when calculating the signature if not present in the  
> Consumer request?"
> 
> While that should be implied by the fact that the spec labels the  
> parameter optional, library developers still often miss it.  +1 to  
> making it more explicit.


Sorry, I did not include complete text from the Internet-Draft.

See http://tools.ietf.org/html/draft-hammer-oauth-03#section-3.3.1

That says in part:

3.3.1.1. Collect Request Parameters


   The signature base string includes a specific set of request
   parameters....

   <snip/>

   The request parameters, which include both protocol parameters and
   request-specific parameters, are extracted and restored to their
   original unencoded form, from the following sources:

   o  The OAuth HTTP Authorization header (Section 3.4.1).  The "realm"
      parameter MUST be excluded if present.

   o  The HTTP request entity-body, but only if:

      *  The entity-body is single-part.

      *  The entity-body follows the encoding requirements of the
         "application/x-www-form-urlencoded" content-type as defined by
         [W3C.REC-html40-19980424].

      *  The HTTP request entity-header includes the "Content-Type"
         header set to "application/x-www-form-urlencoded".

   o  The query component of the HTTP request URI as defined by
      [RFC3986] section 3.

   The "oauth_signature" parameter MUST be excluded if present.

By my reading, that means "the signature base string includes all
protocol parameters and request-specific parameters *except* the
oauth_signature parameter", but if greater clarity is needed then the
spec can be updated.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/



--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"OAuth" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [email protected]
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---

[oauth] Re: build signature base string

Reply via email to