I'm curious about the way I see Google has implemented the OAuth 1.0 protocol, which is reasonable, although the spec itself seems to disagree with it.
>From the spec <http://oauth.net/core/1.0/#anchor14>, snipped here: The request parameters are collected, sorted and concatenated into a normalized string: - Parameters in the OAuth HTTP Authorization header (Authorization Header ) <http://oauth.net/core/1.0/#auth_header_authorization> excluding the realm parameter. - Parameters in the HTTP POST request body (with a content-type of application/x-www-form-urlencoded). - HTTP GET parameters added to the URLs in the query part (as defined by [RFC3986] (Berners-Lee, T., “Uniform Resource Identifiers (URI): Generic Syntax,” .) <http://oauth.net/core/1.0/#RFC3986> section 3). Note that the query part of the URL is only supposed to be included in the construction of the signature base string if the request is a GET. If the request is a POST, that happens to include a query part in the URL, there is no mention of that as the source of parameters to sign. My take on that then is that the URI query part of a POST request is not signed. Is the spec wrong? (it seems insecure) Google signs this part although the spec seems to suggest against it. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
