[OAUTH-WG] Can OAuth AuthN Header Scheme include other request parameters?
Tatsuya KATSUHARA <t-katsuhara@nri.co.jp> Thu, 22 April 2010 12:46 UTC
Return-Path: <t-katsuhara@nri.co.jp>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1404F3A6A6B for <oauth@core3.amsl.com>; Thu, 22 Apr 2010 05:46:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.51
X-Spam-Level: **
X-Spam-Status: No, score=2.51 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jnJxuP+cUZ6p for <oauth@core3.amsl.com>; Thu, 22 Apr 2010 05:46:54 -0700 (PDT)
Received: from nrilvf24.index.or.jp (nrigw01.index.or.jp [133.250.250.1]) by core3.amsl.com (Postfix) with ESMTP id A50D828C0FC for <oauth@ietf.org>; Thu, 22 Apr 2010 05:46:51 -0700 (PDT)
Received: from nrilvf24.index.or.jp (localhost [127.0.0.1]) by localhost.index.or.jp (Postfix) with SMTP id BD5732F40F8; Thu, 22 Apr 2010 21:46:40 +0900 (JST)
Received: from nrisaf24.index.or.jp ([172.19.246.81]) by nrilpa24.index.or.jp (unknown) with ESMTP id o3MCkdSx029855; Thu, 22 Apr 2010 21:46:39 +0900
Received: from nrims00b.nri.co.jp [192.50.135.12] by nrisaf24.index.or.jp id sp4749; Thu Apr 22 21:46:39 2010 +0900 (JST)
Received: from nrims00b.nri.co.jp (localhost.localdomain [127.0.0.1]) by nrims00b.nri.co.jp (Switch-3.3.3/Switch-3.3.3) with ESMTP id o3MCkdGF007377; Thu, 22 Apr 2010 21:46:39 +0900
Received: (from mailnull@localhost) by nrims00b.nri.co.jp (Switch-3.3.3/Switch-3.3.0/Submit) id o3MCkdfE007376; Thu, 22 Apr 2010 21:46:39 +0900
X-Authentication-Warning: nrims00b.nri.co.jp: mailnull set sender to t-katsuhara@nri.co.jp using -f
Received: from [127.0.0.1] ([172.108.12.163]) (authenticated bits=0) by nrims00b.nri.co.jp (Switch-3.3.3/Switch-3.3.3) with ESMTP id o3MCkZE6006908; Thu, 22 Apr 2010 21:46:39 +0900
Message-ID: <4BD04530.3050803@nri.co.jp>
Date: Thu, 22 Apr 2010 21:46:40 +0900
From: Tatsuya KATSUHARA <t-katsuhara@nri.co.jp>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1
MIME-Version: 1.0
To: oauth@ietf.org
Content-Type: text/plain; charset="ISO-2022-JP"
Content-Transfer-Encoding: 7bit
Subject: [OAUTH-WG] Can OAuth AuthN Header Scheme include other request parameters?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Apr 2010 12:46:59 -0000
Dear experts. I read the two specifications(community/ietf hammer draft), and confused to interprete those specs about regulation of signing additional parameters. - Community (http://oauth.net/core/1.0) ------------------------------ "5.2 Consumer Request Parameters" In addition to these defined methods, future extensions may describe alternate methods for sending the OAuth Protocol Parameters. The methods for sending other request parameters are left undefined, but SHOULD NOT use the OAuth HTTP Authorization Scheme (OAuth HTTP Authorization Scheme) header. ------------------------------ "7. Accessing Protected Resources" After successfully receiving the Access Token and Token Secret, the Consumer is able to access the Protected Resources on behalf of the User. The request MUST be signed per Signing Requests (Signing Requests), and contains the following parameters: oauth_consumer_key: ・・・ Additional parameters: Any additional parameters, as defined by the Service Provider. ------------------------------ I think this part of spec seems to say that HTTP Authorization header MUST NOT include "other request parameters"(which are not OAuth Protocol Parameters). Do OAuth 1.0a allow to send other request parameters only in POST request body and as query string? And when Consumer access protected resources, is the same rule applied? (Must there be no other request parameters in OAuth Authorization Header Scheme?) - IETF (http://tools.ietf.org/html/draft-hammer-oauth-10) "3.5.2. Form-Encoded Body" and "3.5.3. Request URI Query" say ------------------------------ The entity-body MAY include other request-specific parameters The request URI MAY include other request-specific query parameters ------------------------------ but "3.5.1. Authorization Header" don't say "The Authorization Header MUST NOT include other request-specific parameters" Above discussed descriptions is so confusion at least for me. If anyone knows the spec in detail, please let me know. Best regards. -- Tatsuya (=kthrtty)
- [OAUTH-WG] Can OAuth AuthN Header Scheme include … Tatsuya KATSUHARA