I'm implementing a mac authorization module for request handling library [1] based on the latest mac spec. I ran into a curious implementation detail having do with the bodyhash value passed in by the client.
Here [2], it says the server should recalculate the bodyhash if the client passes one in. Since it doesn't mention comparing bodyhash values, does that mean the only reason for having to pass in the value of the bodyhash is so that the server knows to include it's own bodyhashing vs an empty string in the mac hash verification? Otherwise, I don't see why the client needs to pass it in. There there an implicit requirent for the server to also validate the bodyhash before calculating the it's own mac for validation? I realize some request bodies may be empty but couldn't the server detect that on it's own and make it required that the client also includes a bodyhash in its own mac calculation. That would be one less header field server implementors have to handle different paths of executions for. [1]: https://github.com/n8han/unfiltered/#readme [2]: http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-05#section-4 -Doug Tangren http://lessis.me
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
