[oauth] Re: signing post requests
On Wed, Feb 4, 2009 at 1:36 AM, Eran Hammer-Lahav wrote: > > On 2/3/09 5:11 PM, "Perryn Fowler" wrote: > >> I'm probably being dense or ignorant or both here, but why is it an issue >> from the OAuth prespective whether the payload is XML or something else? >> Could you not just consider it as a byte-stream, or text in a known encoding? > > As long as you have access to the raw HTTP body, you can sign it regardless > of what it represents. Multi-part bodies are tricky because you need to take > into account the separator used, and the implication of manipulating the > separator header. Just to suss this out a little more, one of the design goals of OAuth is for it to be usable in the context of web frameworks or environments where the raw request may have been "massaged" before you get it. It goes both ways, too -- most HTTP client libraries make it really difficult to inspect and modify the request after it's been fully composed but before it's sent over the wire. Real-live implementations and interoperability is really important for OAuth, so we decided to punt on the issue way back in the day. As Kellan hinted at, the hope is that as we see a few real-world body-signing usage of OAuth, we can extract those "best practices" into a specification. b. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: signing post requests
On 2/3/09 5:11 PM, "Perryn Fowler" wrote: > I'm probably being dense or ignorant or both here, but why is it an issue > from the OAuth prespective whether the payload is XML or something else? > Could you not just consider it as a byte-stream, or text in a known encoding? As long as you have access to the raw HTTP body, you can sign it regardless of what it represents. Multi-part bodies are tricky because you need to take into account the separator used, and the implication of manipulating the separator header. Because the same XML content can take many byte-stream forms, if you don't have access to the raw byte-stream, you need to handle canonicalization of the XML document (and it can get pretty complex with stuff like XMLDSIG). EHL --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: signing post requests
Hi kellan Thanks for your reply > Body hashes for binary payloads are actually pretty straightforward. > But I'm interested to hear how you're going to normalize the XML to > make sure the representation is unambiguous for generation a > signature. I'm probably being dense or ignorant or both here, but why is it an issue from the OAuth prespective whether the payload is XML or something else? Could you not just consider it as a byte-stream, or text in a known encoding? cheers Perryn --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: signing post requests
On Mon, Feb 2, 2009 at 6:57 PM, Perryn Fowler wrote: > I am currently working on a project to expose a developer api to our > systems. The vision is for this to be a RESTful interface > where we exchange payloads of XML. For some operations, the payload > would be passed in a post body. Neat. > a) It would appear then that oAuth is unsuitable for this type of > undertaking? I am a bit surprised as I would have thought it would be > a common use case - Is there a reason why this was explicitly not > supported? Several. First its a mistake assuming that if something isn't explicitly mentioned in the OAuth specification then it is either impossible or forbidden, the truth is if it isn't mentioned as forbidden you should feel free to invent a way to do it. But I hear the desire to use a standardized method, after all thats why one uses a standard. Body hashes for binary payloads are actually pretty straightforward. But I'm interested to hear how you're going to normalize the XML to make sure the representation is unambiguous for generation a signature. Additionally I raised some concerns about the ability of mobile devices to generate hashes for large blobs of data based on our experience working with signed AtomPub on Symbian devices for uploading photos. Lastly, it fell into the "inventing something new" which we were trying to avoid doing in the Core. > b) Is anyone out there doing this type of thing? Have you extended > oAuth to do it? If not, what are you using? Eran linked to the current proposed extension which has the advantage of being straightforward. You'll have to figure out if it works for your XML documents use case. I'm still futzing with how I want to do body signatures for uploads to Flickr, though its less of a concern to us then it is to an API like you describe. The two most popular options are currently define your own specific normalizing/signing method for your endpoint (not too arduous), or use the one Eran linked to. -kellan --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: signing post requests
Check out http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/1/spec.html EHL --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: signing post requests
> I think Perryn posted to the oauth-ruby list, where we > should continue this discussion. Yes, sorry I intended for the discussion of the ruby implementation on the oauth-ruby list. The reason I posted it here too was to ask about the spec ( although that isn't very clear from my original post ) The spec only seems to set out how to include a post body in the signature if it is x-www-form-urlencoded data, and indeed EHL has replied stating that this is all that is supported. I am currently working on a project to expose a developer api to our systems. The vision is for this to be a RESTful interface where we exchange payloads of XML. For some operations, the payload would be passed in a post body. Hence, this raises a few questions for me a) It would appear then that oAuth is unsuitable for this type of undertaking? I am a bit surprised as I would have thought it would be a common use case - Is there a reason why this was explicitly not supported? b) Is anyone out there doing this type of thing? Have you extended oAuth to do it? If not, what are you using? c) Not really a question, but the only reason this came to my attention is that the signatures did not match because the provider interpreted the entire payload as a parameter name. I suspect that this is a rails foible, so on other platforms the signatures may match because the payload is not included in the signature at either end. If people haven't noticed this, they may not realise their payloads are insecure. cheers Perryn --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: signing post requests
It sounds like the ruby library may be accidentally pulling in those parameters. I think Perryn posted to the oauth-ruby list, where we should continue this discussion. b. On Mon, Feb 2, 2009 at 4:07 PM, Eran Hammer-Lahav wrote: > > OAuth core does not support body signatures expect for www-encoded-form. > > EHL > >> -Original Message- >> From: oauth@googlegroups.com [mailto:oa...@googlegroups.com] On Behalf >> Of Perryn Fowler >> Sent: Monday, February 02, 2009 4:37 AM >> To: OAuth Ruby >> Cc: oauth@googlegroups.com >> Subject: [oauth] signing post requests >> >> >> I have set up a small test consumer app and a small test provider app >> - both rails apps. >> The consumer app is using the oauth ruby gem and the provider app is >> using the plugin. >> (I have found and addressed the issues that have been mentioned here >> recently with the plugin and the new version of the gem) >> >> I am trying to post some XML from the consumer app to the provider app >> and authorize it via oAuth. >> >> Unfortunately I keep getting signature verification errors. >> >> The problem seems to be that the raw XML is being posted as the >> request body. The consumer app does not appear to consider this to >> qualify as a 'parameter' for the purposes , while the provider app >> does ( probably because rails does?) >> >> Admittedly the spec only really mentions bonafide parameters, but it >> would seem in this use case you would definately want to have the xml >> payload included in the signature.. >> >> or have I missed something? >> >> >> cheers >> Perryn >> >> > > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: signing post requests
OAuth core does not support body signatures expect for www-encoded-form. EHL > -Original Message- > From: oauth@googlegroups.com [mailto:oa...@googlegroups.com] On Behalf > Of Perryn Fowler > Sent: Monday, February 02, 2009 4:37 AM > To: OAuth Ruby > Cc: oauth@googlegroups.com > Subject: [oauth] signing post requests > > > I have set up a small test consumer app and a small test provider app > - both rails apps. > The consumer app is using the oauth ruby gem and the provider app is > using the plugin. > (I have found and addressed the issues that have been mentioned here > recently with the plugin and the new version of the gem) > > I am trying to post some XML from the consumer app to the provider app > and authorize it via oAuth. > > Unfortunately I keep getting signature verification errors. > > The problem seems to be that the raw XML is being posted as the > request body. The consumer app does not appear to consider this to > qualify as a 'parameter' for the purposes , while the provider app > does ( probably because rails does?) > > Admittedly the spec only really mentions bonafide parameters, but it > would seem in this use case you would definately want to have the xml > payload included in the signature.. > > or have I missed something? > > > cheers > Perryn > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---