OK, just checked in the final draft. Thanks to all who gave feedback. Re: the escaping in the examples that James mentioned. I don't think the difference between "/" and "%3F" in the wire format matters in practice. It does matter when you construct the signature base string, but that's going to look the same whether the wire format was percent-encoded or not.
Cheers, Brian On Fri, Apr 3, 2009 at 5:05 AM, Manger, James H <james.h.man...@team.telstra.com> wrote: > Brian, > > A couple of quick comments on draft-eaton-oauth-bodyhash before it goes final: > > 1. > RFC 4648 "The Base16, Base32, and Base64 Data Encodings" is a better > reference for base64 than RFC 2045 "MIME Part 1: Format of Internet Message > Bodies". > > 2. > §4.1.1, 2nd dot point has an incomplete sentence: > "The presence or absence" > > 3. > The %-escaping in the examples looks wrong. > Authorization: OAuth realm="http%3A%2F%2Fwww.example.com", > oauth_body_hash="2jmj7l5rSw0yVb/vlWAYkK/YBwk%3D", > ... oauth_signature="08bUFF%2Fjmp59mWB7cSgCYBUpJ0U%3D" > > In oauth_body_hash "=" is escaped as %3D, but "/" is not escaped. > In oauth_signature both "=" and "/" are escaped. > > I hope the answer is that base64 values don't need any %-escaping when used > as HTTP header parameters. OAuth-specific escaping rules may differ though. > > > James Manger > james.h.man...@team.telstra.com > Identity and security team — Chief Technology Office — Telstra > > -----Original Message----- > From: oauth@googlegroups.com [mailto:oa...@googlegroups.com] On Behalf Of > Brian Eaton > Sent: Friday, 3 April 2009 12:11 PM > To: opensocial-and-gadgets-s...@googlegroups.com; oauth@googlegroups.com > Subject: [oauth] Re: [opensocial-and-gadgets-spec] Spec clarification - Refer > to oauth_body_hash signing in JSON-RPC spec > > > [+oauth mailing list] > > Seems like the right thing to do. > > I'm going to declare > http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/8/draft-eaton-oauth-bodyhash.html > final tomorrow. > > Changes since the last revision: > - omit oauth_body_hash on all request token and access token requests; > this improves compatibility with various strict OAuth SPs. > - include oauth_body_hash everywhere else. > - lots of clean up and general editorial improvements from Eran. > > Thanks to everyone who contributed feedback on this spec. > > On Thu, Apr 2, 2009 at 2:27 PM, Louis Ryan <lr...@google.com> wrote: >> Hi, >> >> I'd like to refer to the oauth_body_hash signing proposal as a SHOULD in the >> JSON_RPC spec in replacement for the ad-hoc body signing mechanism mentioned >> in section 8. See >> http://opensocial-resources.googlecode.com/svn/spec/draft/RPC-Protocol.xml#rfc.section.8 >> >> Any objections? >> >> -Louis >> >> > >> > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
