Apologies, I had not realised that this was intended to be a form-encoded body,
and thought it was a typo. However, according to RFC 2616 the body of a GET
request has no semantic meaning and should be ignored by an origin server
(summarised well in the following quotation from Roy Fielding):
"Yes. In other words, any HTTP request message is allowed to contain
a message body, and thus must parse messages with that in mind.
Server semantics for GET, however, are restricted such that a body,
if any, has no semantic meaning to the request. The requirements
on parsing are separate from the requirements on method semantics."
Source: http://tech.groups.yahoo.com/group/rest-discuss/message/9962
As such, I would have thought that when computing the signature base string the
form body should similarly be ignored here. Is the OAuth specification stating
that we should consider the form body even when it has no semantic meaning?
From: Eran Hammer-Lahav [mailto:[email protected]]
Sent: 07 April 2010 11:46
To: Greg Beech; OAuth WG
Subject: Re: [OAUTH-WG] Error in example in section 3.4.1.1 of
draft-hammer-oauth-10
While odd, this is a perfectly legal GET request with a form-encoded body.
EHL
On 4/7/10 3:33 AM, "Greg Beech" <[email protected]> wrote:
Hi
I noticed that there is an error in the example for section 3.4.1.1 in
the latest OAuth draft. The example of building a signature base string
uses the following request as an example (note the extraneous query
parameters at the bottom):
GET /request?b5=%3D%253D&a3=a&c%40=&a2=r%20b HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Authorization: OAuth realm="Example",
oauth_consumer_key="9djdj82h48djs9d2",
oauth_token="kkk9d7dh3k39sjv7",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="137131201",
oauth_nonce="7d8f3e4a",
oauth_signature="djosJKDKJSD8743243%2Fjdk33klY%3D"
c2&a3=2+q
I believe that this should be as follows, which will cause the
documented signature base string to be constructed:
GET /request?b5=%3D%253D&a3=a&c%40=&a2=r%20b&c2=&a3=2+q HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Authorization: OAuth realm="Example",
oauth_consumer_key="9djdj82h48djs9d2",
oauth_token="kkk9d7dh3k39sjv7",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="137131201",
oauth_nonce="7d8f3e4a",
oauth_signature="djosJKDKJSD8743243%2Fjdk33klY%3D"
Apologies if this is a duplicate comment; I searched the archives but
could not find any reference to this issue.
--
Greg
Blinkbox Entertainment Ltd - The best movies & TV online |
Greg Beech | Senior Development Engineer Lead | +44 20 7092 8700 | +44 7970
480901
Blinkbox Entertainment Ltd - The best movies & TV online |
Greg Beech | Senior Development Engineer Lead | +44 20 7092 8700 | +44 7970
480901
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
