[oauth] [Q] Can OAuth AuthN Header Scheme include other request parameters?

2010-04-27 Thread kthrtty 
Dear experts.

I read the two specifications(community/ietf hammer draft), and
confused to
interprete those specs about regulation of additional parameters.

*This mail is reposted.*
(It was posted to IETF OAUTH-WG, but it seems not to be suit for the
ML's purpose.)

- Community (http://oauth.net/core/1.0)
--
"5.2 Consumer Request Parameters"
In addition to these defined methods, future extensions may describe
alternate
methods for sending the OAuth Protocol Parameters. The methods for
sending other
request parameters are left undefined, but SHOULD NOT use the OAuth
HTTP
Authorization Scheme (OAuth HTTP Authorization Scheme) header.
--
"7.  Accessing Protected Resources"
After successfully receiving the Access Token and Token Secret, the
Consumer is
able to access the Protected Resources on behalf of the User. The
request MUST
be signed per Signing Requests (Signing Requests), and contains the
following
parameters:

oauth_consumer_key:
・・・
Additional parameters:
Any additional parameters, as defined by the Service Provider.
--

I think this part of spec seems to say that HTTP Authorization header
MUST NOT
include "other request parameters"(which are not OAuth Protocol
Parameters).

Do OAuth 1.0a allow to send other request parameters only in POST
request body
and as query string?

And when Consumer access protected resources, is the same rule
applied?
(Must there be no other request parameters in OAuth Authorization
Header Scheme?)


- IETF (http://tools.ietf.org/html/draft-hammer-oauth-10)
"3.5.2. Form-Encoded Body" and "3.5.3. Request URI Query" say
--
The entity-body MAY include other request-specific parameters
The request URI MAY include other request-specific query parameters
--
but "3.5.1. Authorization Header" don't say
"The Authorization Header MUST NOT include other request-specific
parameters"

Above discussed descriptions is so confusion at least for me.


If anyone knows the spec in detail, please let me know.


Best regards.

--
Tatsuya (=kthrtty)

-- 
You received this message because you are subscribed to the Google Groups 
"OAuth" group.
To post to this group, send email to oa...@googlegroups.com.
To unsubscribe from this group, send email to 
oauth+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/oauth?hl=en.

[oauth] Re: oauth_callback parameter not sent to getsatisfaction

2010-04-27 Thread John Kristian 
You can set the oauth_callback parameter dynamically, like this:

OAuthServiceProvider provider = ... // not including oauth_callback
String callbackURL = ...
String authorizationURL =
OAuth.addParameters(provider.userAuthorizationURL,
  OAuth.OAUTH_CALLBACK, callbackURL);
// Next, direct the user's browser to the authorizationURL.

On Apr 24, 9:13 pm, vasya10  wrote:
> Unfortunately since my callback url is different at different entry
> points, Im unable to set the oauth_callback url in the authorization
> url dynamically since OAuthService must be static. Is there an
> alternative to this issue?

-- 
You received this message because you are subscribed to the Google Groups 
"OAuth" group.
To post to this group, send email to oa...@googlegroups.com.
To unsubscribe from this group, send email to 
oauth+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/oauth?hl=en.