I thought one of the fundamental ugly problems is that the client doesn't actually know the full URL authoritatively in all frameworks, because variables get appended to the query string in an unknown order in some cases?
Solving that problem seems key. Oauth 1.0 had one solution, which it turns out people tend to get wrong. Brian's proposal solves it a different way with the problem that it makes for data duplication with those associated risks/problems. What other options do we have? > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Eran Hammer-Lahav > Sent: Thursday, May 27, 2010 8:04 PM > To: Brian Eaton; [email protected] > Cc: OAuth WG ([email protected]) > Subject: Re: [OAUTH-WG] FW: Duplicating request component in > an HTTP authentication scheme > > > > > -----Original Message----- > > From: Brian Eaton [mailto:[email protected]] > > Sent: Thursday, May 27, 2010 6:21 PM > > > OAuth 1.0 was unusual in that it required that the server > match a hash > > of the URL, rather than the real URL. It's an extra layer of > > indirection and complexity. It doesn't improve security. > > The current draft signs the real URL. > > EHL > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
