I'm implementing a mac authorization module for request handling library [1]
based on the latest mac spec. I ran into a curious implementation detail
having do with the bodyhash value passed in by the client.

Here [2], it says the server should recalculate the bodyhash if the client
passes one in. Since it doesn't mention comparing bodyhash values, does that
mean the only reason for having to pass in the value of the bodyhash is so
that the server knows to include it's own bodyhashing vs an empty string in
the mac hash verification? Otherwise, I don't see why the client needs to
pass it in. There there an implicit requirent for the server to also
validate the bodyhash before calculating the it's own mac for validation?

I realize some request bodies may be empty but couldn't the server detect
that on it's own and make it required that the client also includes a
bodyhash in its own mac calculation. That would be one less header field
server implementors have to handle different paths of executions for.

[1]: https://github.com/n8han/unfiltered/#readme
[2]: http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-05#section-4

-Doug Tangren
http://lessis.me
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to