On Feb 8, 2011, at 6:45 AM, Eran Hammer-Lahav wrote: > This authentication method comes with well understood security properties. By > making query parameters optional because of developer ease, providers will be > giving up an important part of the protection this protocol offers. This is > especially true for the majority of APIs where query parameters are critical > to the request integrity.
Is the same then not true of content body? Why require one and not the other? Either you trust providers to decide when the content/parameter portions of a request (or an API) are critical to request integrity, or you don't. With that argument you should just require a body hash and be done with it. What's the argument to make it an optional part of the base string? _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
