On Thu, Feb 5, 2009 at 2:23 PM, Jordan Zimmerman <jord...@shop.com> wrote: > I've found the problem. OAuthRequest.sanitizeAndSign() sets the target's > query to null. So, the URL that gets bound into the OAuth message > doesn't have a query string. This seems like a bug to me. The fix isn't > simple, though, because all of the oauth parameters haven't been added > yet.
I doubt it's a bug, more likely misusage. The shindig oauth code interoperates with literally hundreds of OAuth service providers in at least four languages. (it definitely does not always strip the query string from outgoing requests.) > Why are the oauth args being passed as URL parameters anyway? Wouldn't > it be better to pass them in a header? You can do that with the param_location attribute in the <OAuth> tag in the gadget spec.
