First, go read: http://tools.ietf.org/html/draft-hammer-oauth
> -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Paul Walker > Sent: Wednesday, November 04, 2009 8:27 AM > A very common question: When the request has a body, is it valid to > include the oauth_ parameters on the Query of the URI? Yes. The OAuth spec (especially the newer draft-hammer-oauth-03) provides three methods for delivering parameters. It is mostly mute on which method should be used when and also does not explicitly forbids mixing them up in a single request. I am going to add a note to draft-hammer-oauth-03 about only using one method for all oauth_ parameters. That draft already removed most of the other restrictions about using methods with any HTTP request method (GET, POST, etc.). > Yes, many of the libraries have the spec wrong, especially when it > comes to the optional oauth_version parameter (many will add it > automatically in it's verification of a signature for example even > though it is not required). The oauth_version parameter is only included in the signature if it is explicitly sent with the request. At this point, clients should not send it (or include it in the signature) and servers must only include it in the signature if it is explicitly sent. > Yes, all of these things make OAuth > difficult and lack of gumption with the stake holders on the specifics > of the standard are very frustrating at times. Not sure who this dig is aimed at... OAuth is now over 2 years old and we have a lot more deployment experience. I have spent a considerable amount of time rewriting the specification (from scratch) in order to correct all the known editorial issues with the spec as well as make some minor normative changes (listed in the appendix). If anyone should be frustrated is *me*, given the lack of review and feedback for this newer draft (it is 8 months old). I am hoping that this will change once draft-hammer-oauth becomes an RFC (shortly) and will be the only specification used by implementers for Core 1.0a. However, it would be a shame to publish it as an RFC to only find out it still contains problems and incomplete explanations. If draft-hammer-oauth isn't good enough or doesn't explain OAuth 1.0a in a way that is complete and accessible, implementers can only blame themselves. > I would like to add another question to the group: where is the > appropriate place to posit OAuth questions right now? The IETF > mailing list or this one? Where is the appropriate place for > discussion of extensions? With regard to discussions, this is the best place to ask for clarifications and support of OAuth 1.0a. Discussions about extensions really make no difference because over the past 2 years there have been little to none anyway. If you have a need for an extension feel free to bring it up on either list, but be warned that you will most likely have to write it yourself. There are no bored spec writers around that I'm aware of... EHL --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
