There is a difference between having no semantic meaning (i.e. Not a representation of a resource, etc.) to being ignored. I agree it is odd. I'll take a look when it is in AUTH48.
EHL On 4/8/10 7:03 AM, "Greg Beech" <[email protected]> wrote: Apologies, I had not realised that this was intended to be a form-encoded body, and thought it was a typo. However, according to RFC 2616 the body of a GET request has no semantic meaning and should be ignored by an origin server (summarised well in the following quotation from Roy Fielding): "Yes. In other words, any HTTP request message is allowed to contain a message body, and thus must parse messages with that in mind. Server semantics for GET, however, are restricted such that a body, if any, has no semantic meaning to the request. The requirements on parsing are separate from the requirements on method semantics." Source: http://tech.groups.yahoo.com/group/rest-discuss/message/9962 As such, I would have thought that when computing the signature base string the form body should similarly be ignored here. Is the OAuth specification stating that we should consider the form body even when it has no semantic meaning? From: Eran Hammer-Lahav [mailto:[email protected]] Sent: 07 April 2010 11:46 To: Greg Beech; OAuth WG Subject: Re: [OAUTH-WG] Error in example in section 3.4.1.1 of draft-hammer-oauth-10 While odd, this is a perfectly legal GET request with a form-encoded body. EHL On 4/7/10 3:33 AM, "Greg Beech" <[email protected]> wrote: Hi I noticed that there is an error in the example for section 3.4.1.1 in the latest OAuth draft. The example of building a signature base string uses the following request as an example (note the extraneous query parameters at the bottom): GET /request?b5=%3D%253D&a3=a&c%40=&a2=r%20b HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded Authorization: OAuth realm="Example", oauth_consumer_key="9djdj82h48djs9d2", oauth_token="kkk9d7dh3k39sjv7", oauth_signature_method="HMAC-SHA1", oauth_timestamp="137131201", oauth_nonce="7d8f3e4a", oauth_signature="djosJKDKJSD8743243%2Fjdk33klY%3D" c2&a3=2+q I believe that this should be as follows, which will cause the documented signature base string to be constructed: GET /request?b5=%3D%253D&a3=a&c%40=&a2=r%20b&c2=&a3=2+q HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded Authorization: OAuth realm="Example", oauth_consumer_key="9djdj82h48djs9d2", oauth_token="kkk9d7dh3k39sjv7", oauth_signature_method="HMAC-SHA1", oauth_timestamp="137131201", oauth_nonce="7d8f3e4a", oauth_signature="djosJKDKJSD8743243%2Fjdk33klY%3D" Apologies if this is a duplicate comment; I searched the archives but could not find any reference to this issue. -- Greg Blinkbox Entertainment Ltd - The best movies & TV online | Greg Beech | Senior Development Engineer Lead | +44 20 7092 8700 | +44 7970 480901 Blinkbox Entertainment Ltd - The best movies & TV online | Greg Beech | Senior Development Engineer Lead | +44 20 7092 8700 | +44 7970 480901 _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
