Eran, >> 16. OAuth2 can provide a "secret" as a Unicode string. MAC algorithms such >> as HMAC use a key that is a byte array. Section 2 of the MAC spec says >> 'secret' >> can only include printable ASCII chars (except " and /). This is not quite >> right. >> The MAC scheme should expect 'secret' to be a byte array (ie not limit its >> chars). A 'secret' string from an OAuth2 response should be UTF-8 encoded >> to produce the byte array the MAC scheme uses.
> What about when the secret is returned in the HTTP fragment? A fragment is part of a URI which is a string. Presumably you: (1) unescape any %xx sequences in the fragment (assuming UTF-8) to get a string of any Unicode characters; (2) encode the string to bytes using some character encoding; (3) pass the bytes as the secret key to the MAC algorithm. The spec should explicitly the state what the character encoding is at step (2). > What is the value of making this use UTF-8. It was one reasonable choice -- once I convince you that a string-to-bytes encoding needs to be explicitly stated. Other options are ASCII or hex or base64url. -- James Manger _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
