Dear experts. I read the two specifications(community/ietf hammer draft), and confused to interprete those specs about regulation of signing additional parameters.
- Community (http://oauth.net/core/1.0) ------------------------------ "5.2 Consumer Request Parameters" In addition to these defined methods, future extensions may describe alternate methods for sending the OAuth Protocol Parameters. The methods for sending other request parameters are left undefined, but SHOULD NOT use the OAuth HTTP Authorization Scheme (OAuth HTTP Authorization Scheme) header. ------------------------------ "7. Accessing Protected Resources" After successfully receiving the Access Token and Token Secret, the Consumer is able to access the Protected Resources on behalf of the User. The request MUST be signed per Signing Requests (Signing Requests), and contains the following parameters: oauth_consumer_key: ・・・ Additional parameters: Any additional parameters, as defined by the Service Provider. ------------------------------ I think this part of spec seems to say that HTTP Authorization header MUST NOT include "other request parameters"(which are not OAuth Protocol Parameters). Do OAuth 1.0a allow to send other request parameters only in POST request body and as query string? And when Consumer access protected resources, is the same rule applied? (Must there be no other request parameters in OAuth Authorization Header Scheme?) - IETF (http://tools.ietf.org/html/draft-hammer-oauth-10) "3.5.2. Form-Encoded Body" and "3.5.3. Request URI Query" say ------------------------------ The entity-body MAY include other request-specific parameters The request URI MAY include other request-specific query parameters ------------------------------ but "3.5.1. Authorization Header" don't say "The Authorization Header MUST NOT include other request-specific parameters" Above discussed descriptions is so confusion at least for me. If anyone knows the spec in detail, please let me know. Best regards. -- Tatsuya (=kthrtty) _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
