On Wed, Sep 16, 2009 at 4:06 PM, Hans Granqvist <h...@granqvist.com> wrote: > We're going live with some new PUT-based APIs. The body is not name/value > pairs and thus not application/x-www-form-urlencoded. > > Can anybody shed some light on the status of > http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/oauth-bodyhash.html > and how it relates to OAuth main spec?
It is an optional extension that is backwards compatible with the main oauth spec. If both client and server use the extension, it's a security win and also helpful for developers. If one or the other doesn't support it, interop is still possible. > Has anyone implemented it in production? Various OpenSocial containers have it in production. It's been useful because we've had persistent problems with developers doing strange things like sending JSON request bodies with 'application/x-www-form-urlencoded' content types. That's difficult to support consistently, and it led to interop problems. Now that we've got an official supported way of signing non-form-encoded request bodies it is less of an issue. Cheers, Brian --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
