Wrong sort order for AFHMACSHA1Signature #36

touchbyte opened this Issue Mar 28, 2013 · 1 comment


None yet
2 participants

touchbyte commented Mar 28, 2013

The OAuth RFC standard states in

  1. The parameters are sorted by name, using ascending byte value ordering. If two or more parameters share the same name, they are sorted by their value.

AFHMACSHA1Signature sorts the parameters case insensitive which is not ascending byte value ordering. You should use case sensitve ordering instead:

NSString *queryString = AFPercentEscapedQueryStringPairMemberFromStringWithEncoding([[[[[request URL] query] componentsSeparatedByString:@"&"] sortedArrayUsingSelector:@selector(compare:)] componentsJoinedByString:@"&"], stringEncoding);

If you for example use OAuth with the SmugMug photo service, most API functions work fine, but the smugmug.albums.create function is not working correctly with AFOAuth1Client because SmugMug uses a Title parameter for this API function. With the current release Title is sorted after all the oauth_... parameters but it must be prior to this parameters because the uppercase 'T' is prior to the lowercase 'o' in byte value ordering.
This leads to an invalid signature error in the SmugMug API request.

@mattt mattt added a commit that referenced this issue May 7, 2013

@touchbyte @mattt touchbyte + mattt [Issue #36] Fixing sort order of HMAC signature
Signed-off-by: Mattt Thompson <m@mattt.me>

mattt commented May 7, 2013

Good call. I attributed c8f53e8 as best I could to you, since this issue is effectively a small pull request. Cheers!

mattt closed this May 7, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment