> I think Perryn posted to the oauth-ruby list, where we > should continue this discussion.
Yes, sorry I intended for the discussion of the ruby implementation on the oauth-ruby list. The reason I posted it here too was to ask about the spec ( although that isn't very clear from my original post ) The spec only seems to set out how to include a post body in the signature if it is x-www-form-urlencoded data, and indeed EHL has replied stating that this is all that is supported. I am currently working on a project to expose a developer api to our systems. The vision is for this to be a RESTful interface where we exchange payloads of XML. For some operations, the payload would be passed in a post body. Hence, this raises a few questions for me a) It would appear then that oAuth is unsuitable for this type of undertaking? I am a bit surprised as I would have thought it would be a common use case - Is there a reason why this was explicitly not supported? b) Is anyone out there doing this type of thing? Have you extended oAuth to do it? If not, what are you using? c) Not really a question, but the only reason this came to my attention is that the signatures did not match because the provider interpreted the entire payload as a parameter name. I suspect that this is a rails foible, so on other platforms the signatures may match because the payload is not included in the signature at either end. If people haven't noticed this, they may not realise their payloads are insecure. cheers Perryn --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---