Wrong oauth signature when multiple same param keys exist #612

Closed
wants to merge 2 commits into
from

Projects

None yet

4 participants

@hyjin
hyjin commented Jul 31, 2013

According to http://tools.ietf.org/html/rfc5849#section-3.4.1.3.2,
when normalizing parameters to calculate base string for oauth signature,
oauth client should handle multiple pareters with same key name.

For example: (quotes from RFC5849)
when build base string for following request,

 POST /request?b5=%3D%253D&a3=a&c%40=&a2=r%20b HTTP/1.1
       Host: example.com
       Content-Type: application/x-www-form-urlencoded
       Authorization: OAuth realm="Example",
                      oauth_consumer_key="9djdj82h48djs9d2",
                      oauth_token="kkk9d7dh3k39sjv7",
                      oauth_signature_method="HMAC-SHA1",
                      oauth_timestamp="137131201",
                      oauth_nonce="7d8f3e4a",
                      oauth_signature="djosJKDKJSD8743243%2Fjdk33klY%3D"

       c2&a3=2+q

client should include two 'a3' param keys(in query string and in body) and its values.

Currently request can't do this because it builds a parameter map as object and pass it to oauth-sign.

For your information, http://oauth.googlecode.com/svn/code/javascript/oauth.js builds a parameter map as array of [key, value].

@hyjin hyjin referenced this pull request in request/oauth-sign Sep 9, 2013
Merged

Handle array param values and sort after encode #6

@hyjin hyjin Use both query and form to oauth sign calculation.
And also handles array values node's querystring.parse.
22db4c3
@hyjin
hyjin commented Sep 9, 2013

This pull request depend on request/oauth-sign#6

@hyjin hyjin Simpler params merge and append realm to auth header
Use querystring.parse to build oauth request params.
Now realm prop in oauth options will be included in authorization
header.
3bd3710
@mikeal
Member
mikeal commented Aug 27, 2014

is this still necessary?

@bengl
bengl commented Sep 26, 2014

This can be closed since #996 was merged.

@mmalecki mmalecki closed this Sep 26, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment