[oauth] Re: signing post requests
On Wed, Feb 4, 2009 at 1:36 AM, Eran Hammer-Lahav e...@hueniverse.com wrote: On 2/3/09 5:11 PM, Perryn Fowler pezli...@gmail.com wrote: I'm probably being dense or ignorant or both here, but why is it an issue from the OAuth prespective whether the payload is XML or something else? Could you not just consider it as a byte-stream, or text in a known encoding? As long as you have access to the raw HTTP body, you can sign it regardless of what it represents. Multi-part bodies are tricky because you need to take into account the separator used, and the implication of manipulating the separator header. Just to suss this out a little more, one of the design goals of OAuth is for it to be usable in the context of web frameworks or environments where the raw request may have been massaged before you get it. It goes both ways, too -- most HTTP client libraries make it really difficult to inspect and modify the request after it's been fully composed but before it's sent over the wire. Real-live implementations and interoperability is really important for OAuth, so we decided to punt on the issue way back in the day. As Kellan hinted at, the hope is that as we see a few real-world body-signing usage of OAuth, we can extract those best practices into a specification. b. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: signing post requests
OAuth core does not support body signatures expect for www-encoded-form. EHL -Original Message- From: oauth@googlegroups.com [mailto:oa...@googlegroups.com] On Behalf Of Perryn Fowler Sent: Monday, February 02, 2009 4:37 AM To: OAuth Ruby Cc: oauth@googlegroups.com Subject: [oauth] signing post requests I have set up a small test consumer app and a small test provider app - both rails apps. The consumer app is using the oauth ruby gem and the provider app is using the plugin. (I have found and addressed the issues that have been mentioned here recently with the plugin and the new version of the gem) I am trying to post some XML from the consumer app to the provider app and authorize it via oAuth. Unfortunately I keep getting signature verification errors. The problem seems to be that the raw XML is being posted as the request body. The consumer app does not appear to consider this to qualify as a 'parameter' for the purposes , while the provider app does ( probably because rails does?) Admittedly the spec only really mentions bonafide parameters, but it would seem in this use case you would definately want to have the xml payload included in the signature.. or have I missed something? cheers Perryn --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---