Re: [OAUTH-WG] HTTP request signing and repeated query/header keys

"Brock Allen" <> Sun, 28 February 2016 21:40 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 1B44C1A702E for <>; Sun, 28 Feb 2016 13:40:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ixVIOsjFVMJ0 for <>; Sun, 28 Feb 2016 13:40:44 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400e:c00::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DBF361A7028 for <>; Sun, 28 Feb 2016 13:40:43 -0800 (PST)
Received: by with SMTP id t66so14340135pfb.3 for <>; Sun, 28 Feb 2016 13:40:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:thread-index:content-language; bh=VWVleGXubf9/1AzwxqkDJeu8V4yTGLvhMVXDlnqSpOc=; b=RaVl6BaOxJPzbrhXsRG+C9fWvbo+hbiwNcB3PPsPEwe7JKn+sCmG81XfgO1RZlHaR9 xZLLJnkOOAT665wi49lgQW7zBQ37OvixGtUqtjJt+m7Wm53uW2cEce5qSeiCUCtdewoZ Gf39A3p0D/FrNWyYDKO3ezskwuxd8FzBEoMVNvMrizeF1tzFdnxnQjRyYSUQlzHmuEwc gHfkI6qm6FtK1OBQiChaONyGrFK5UdNfmhNNRGBA9Gu4lCCMmZNoHH5UD+lXUmZTICYK FhB/LDupTfRLVwPrObHpXcq7WOyTHGOc/Li5BUn1y02rILaIbcirColoGDOLscIMpLre Dftg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:thread-index:content-language; bh=VWVleGXubf9/1AzwxqkDJeu8V4yTGLvhMVXDlnqSpOc=; b=C3ShMEcmjF9upraRw5t/fqhlxWNkR/fFmC9HJd6EIDewAYP9F33LRP3R1YDWejTo+7 iGDYp5OXG07XGCnHLctZz0mtszqJf8VfZfWJOGvJucV2z98RJ1u9gE0Nu2IQD+eYrfOB XxzGp31LTqG9IiGqSKcfrw3qVNKlCh5jO7XloKVwq0LRM21kjCWxMr3s2d0BkeDLmze/ 4VcmWaMgKiOHPCoydferxo9Buz0J6QjVFfALKMiR5znGYBtVYrKOYaTi5a6DbwqVQAqp aTzk1pxjqiQZvwk0UkflOrQvauLCfkviJmXfIgI/W6cKnhN3ead+7pdFTPl7AmUbNC/U +Hag==
X-Gm-Message-State: AD7BkJICeUdcHRyslX5poF8hcWeU986m37+Juf5/XcFTDUDttqO15FtD+POElu1Gdim1Nw==
X-Received: by with SMTP id h64mr12591764pfh.157.1456695643452; Sun, 28 Feb 2016 13:40:43 -0800 (PST)
Received: from monk ( []) by with ESMTPSA id w12sm33001143pfa.79.2016. (version=TLSv1/SSLv3 cipher=OTHER); Sun, 28 Feb 2016 13:40:42 -0800 (PST)
From: "Brock Allen" <>
To: "'Justin Richer'" <>
References: <003b01d1726f$66036590$320a30b0$> <>
In-Reply-To: <>
Date: Sun, 28 Feb 2016 16:40:20 -0500
Message-ID: <004401d17270$a0183660$e048a320$>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0045_01D17246.B7449F60"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQFXkD4wUaeZYzbNhPIxfaFoz/BUGADRFDTHoC835bA=
Content-Language: en-us
Archived-At: <>
Cc: "'<>'" <>
Subject: Re: [OAUTH-WG] HTTP request signing and repeated query/header keys
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 28 Feb 2016 21:40:46 -0000

Ok, missed that – thanks.


For now in my implementation I’m also ignoring this problem :)




From: Justin Richer [] 
Sent: Sunday, February 28, 2016 4:37 PM
To: Brock Allen <>
Cc: <> <>
Subject: Re: [OAUTH-WG] HTTP request signing and repeated query/header keys


In §7.5 we currently have:


   The behavior of repeated query parameters or repeated HTTP headers is
   undefined by this specification.  If a header or query parameter is
   repeated on either the outgoing request from the client or the
   incoming request to the protected resource, that query parameter or
   header name MUST NOT be covered by the hash and signature. [[ Note to
   the WG: is this something we need to cover? ]]


Which is to say: Yeah, that’s a problem, probably. We either declare this behavior out of scope and say you can’t use this method with that kind of API (or at least those parameters/headers) or we define a mechanism for handling that. I’m in favor of the former, and removing the text from the generation sections that says repeated parameters are processed with no special handling, making them explicitly out of scope throughout.


I would love to see more feedback from the group about this, especially if someone’s got a clever solution.


 — Justin


On Feb 28, 2016, at 1:31 PM, Brock Allen < <> > wrote:


Given that the client can iterate over the query/headers in any order to generate the concatenated value to hash, I think there’s an issue with query string or header values with repeated keys. I’ll stick with query params for simplicity in my sample. 


If a client signs this concatenated query: “a=1&a=2” then the “p” value in the signed JSON object could be this:


"p": [["a", "a"], "blah"]


On the resource server, how do you know which key/value pair to put in which order for verification? Also, given that different server implementations express these incoming parameters in different ways, it seems problematic to be consistent.






OAuth mailing list <>