Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug in OAuth key generation for sha1 #263

Merged
merged 1 commit into from Jun 8, 2012

Conversation

Projects
None yet
2 participants
@nanodocumet
Copy link
Contributor

commented Jun 7, 2012

Per spec (http://tools.ietf.org/html/rfc5849#section-3.4.2) the consumer_secret (client shared-secret) and token_secret should be encoded before being used as part of the key for sha1.

@mikeal

This comment has been minimized.

Copy link
Member

commented Jun 8, 2012

are you sure this doesn't double-encode the same value later on?

@nanodocumet

This comment has been minimized.

Copy link
Contributor Author

commented Jun 8, 2012

99% sure that does not. None of the tests for Oauth include any of the following characters , / ? : @ & = + $ # for the consumer_secret nor the token_secret, and that's probably why it has not found before.

The key is just for the SHA1, the result is the signature. From the spec:

digest: is used to set the value of the "oauth_signature" protocol parameter, after the result octet string is base64-encoded per [RFC2045], Section 6.8.

@mikeal

This comment has been minimized.

Copy link
Member

commented Jun 8, 2012

ok, merging. i'll keep an eye out for new reported oauth failures just in case.

mikeal added a commit that referenced this pull request Jun 8, 2012

Merge pull request #263 from nanodocumet/master
Bug in OAuth key generation for sha1

@mikeal mikeal merged commit 5027141 into request:master Jun 8, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.