OAuth Core 1.0 (or a) does *not* include PUT body parameters in the signature base string. That is a bug which I already fixed a while back in the very first I-D:
o Removed restriction of only signing application/ x-www-form-urlencoded in POST requests, allowing the entity-body to be used with all HTTP request methods. The current IETF version is all inclusive: --- The request parameters, which include both protocol parameters and request-specific parameters, are extracted and restored to their original unencoded form, from the following sources: o The OAuth HTTP Authorization header (Section 7.1). The "realm" parameter MUST be excluded if present. o The HTTP request entity-body, but only if: * The entity-body is single-part. * The entity-body follows the encoding requirements of the "application/x-www-form-urlencoded" content-type as defined by [W3C.REC-html40-19980424]. * The HTTP request entity-header includes the "Content-Type" header set to "application/x-www-form-urlencoded". o The query component of the HTTP request URI as defined by [RFC3986] section 3. The "oauth_signature" parameter MUST be excluded if present. --- Too bad very few people actually bother to read the IETF drafts and provide feedback. For the record, I had to restrain myself in that last sentence from using offensive language. EHL > -----Original Message----- > From: oauth@googlegroups.com [mailto:oa...@googlegroups.com] On Behalf > Of Hannes Tydén > Sent: Wednesday, September 16, 2009 5:31 PM > To: OAuth > Subject: [oauth] Re: Signing PUT request > > > On Sep 17, 1:12 am, Hans Granqvist <h...@granqvist.com> wrote: > > > seems to leave PUT requests with form-encoded name/value pairs in a > > bad spot, not covered by the core spec (which only deals with POSTs), > > nor covered by the body hash spec. > > I will rephrase my initial question: > Is it true that the base string for "application/x-www-form- > urlencoded" PUT requests should not contain the parameters in the > request body according to the 1.0 core specification? > > Section "9.1.1 Normalize Request Parameters" (http://oauth.net/core/ > 1.0#anchor14) says: > "Parameters in the HTTP POST request body (with a content-type of > application/x-www-form-urlencoded)." > > If "HTTP POST request body" should be interpreted as "the request body > if it is a POST request", "application/x-www-form-urlencoded" PUT > requests are wide open for man-in-the-middle attacks. > > If it should be interpreted as "the request body of any kind of > request", I'm fine with this and we could move along. > > In any case the wording is too ambiguous, leaving room for > interpretation. I'd suggest that an amendment should be done to the > specification. > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---