Hi Florent, I certainly couldn't see anything in the spec that addresses sending OAuth parameters using a combination of GET, POST or Authorization headers.
While I certainly think that it's a strange thing to do (seems like more work for the Consumer Developer), I think as a Service Provider you should support such a situation. I don't have any technical rationale for this, I just think it's consistent with the Postel's Law ("be liberal in what you accept and conservative in what you do"). I don't see any downside to accepting such behaviour, so why not make it easier for those who do it? Cheers, Paul On 2009-10-21, at 4:31 AM, Florent wrote: > Hi everybody, > > I'm in pain figuring out whether the oauth_verifier can be sent back > from the consumer to the provider in the body of a POST request when > other parameters are sent in the authorization header. > > Here is my situation: I provide an API with OAuth, and one of our > users complains he cannot get an access token. Looking at the request, > he sent "usual" signature parameters in the header, and sent the > oauth_verifier in the body. > > * Looking at the spec in the section about sending parameters to the > provider (http://oauth.net/core/1.0a#consumer_req_param), parameters > should be sent in the authorization header (prefered) or in the > request body (second choice) or (... we don't care about this one). > But it is not forbidden to mix the places ! > > * Looking at the 9.1.1 part (http://oauth.net/core/1.0a#anchor13) > about collecting the consumer's parameters, the parameters must be > collected from various places. So it seems that the consumer can mix > the places. > > So I have 2 questions: > 1. Can the consumer send oauth parameters from various places (I > understand oauth parameter as being part of the signature) ? > 2. Is the oauth_verifier parameter, sent to the provider when > requesting an access token, a parameter part of the signature, or just > a request parameter? > > My understanding is that oauth_verifier is a regular oauth parameter, > so it's part of the signature, and that all signature should be > included in a single place. > > He tells me that the library he uses (a .net lib) works well with > Twitter and Google amongst others. But it won't work with the one I > use (Ruby OAuth + Rails OAuth plugin). > > Who's right here? > > Thanks, > Florent. > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---