Authentication Open Question #1: What to sign?

OAuth Core 1.0 was designed to sign API requests made using common
form-encoded formats. The main component of the 1.0 signature base string
are the parameters. The host and HTTP methods are important but were never
the focus on the signed content.

draft-hammer-oauth does not change the process but does describe the process
very differently, changing the focus form signing API requests and
parameters to signing HTTP requests (partially).
draft-hammer-http-token-auth takes this approach a step further and focuses
on signing the raw HTTP request components, completely ignoring their
meaning as used by API calls. The end result is very similar but the
differences are important.

Brian Eaton proposed [1] an alternative approach to sign messages instead of
API calls or HTTP request. In his proposal, the HTTP request (or API call
based on your perspective) in transformed into a message (in his case using
a JSON-based format) which is then signed. This additional layer of
abstraction allows the use of the method with other transports or use cases
in which parameters are not sent in the request URI or body.

QUESTION: Do you prefer:

A. Directly processing the HTTP request into a base string for signing
(draft-hammer-oauth style).
B. Treating the request as an API call with form-encoded parameters (OAuth
1.0 style).
C. Converting the request into a normalized message and signing that (Eaton
style).

EHL

[1] http://www.ietf.org/mail-archive/web/oauth/current/msg00890.html

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to