[oauth] OAuth and HTTP proxies
Eran Hammer-Lahav <eran@hueniverse.com> Tue, 10 March 2009 05:43 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E9CCE3A69DA for <oauth@core3.amsl.com>; Mon, 9 Mar 2009 22:43:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.753
X-Spam-Level:
X-Spam-Status: No, score=-2.753 tagged_above=-999 required=5 tests=[AWL=-0.154, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6sgHl0Roz5IG for <oauth@core3.amsl.com>; Mon, 9 Mar 2009 22:43:50 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by core3.amsl.com (Postfix) with SMTP id 1A2FB3A684E for <oauth@ietf.org>; Mon, 9 Mar 2009 22:43:50 -0700 (PDT)
Received: (qmail 5807 invoked from network); 10 Mar 2009 05:44:25 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 10 Mar 2009 05:44:09 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Mon, 9 Mar 2009 22:44:09 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Date: Mon, 09 Mar 2009 22:44:24 -0700
Thread-Topic: OAuth and HTTP proxies
Thread-Index: AcmhQ0T8ULZNWRAAQ7+O435dmfP0wA==
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723425023C6EEF@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-cr-hashedpuzzle: Cbqy ClXT F1Ns GpSf G6QZ IwXu JvZc KbLh KpgZ MTNs NVlE O9xA PHDM UwQs W+Gc XCe1; 2; aQBlAHQAZgAtAGgAdAB0AHAALQB3AGcAQAB3ADMALgBvAHIAZwA7AG8AYQB1AHQAaABAAGkAZQB0AGYALgBvAHIAZwA=; Sosha1_v1; 7; {CE3737C8-F59E-4982-97CA-91A2FF475A35}; ZQByAGEAbgBAAGgAdQBlAG4AaQB2AGUAcgBzAGUALgBjAG8AbQA=; Tue, 10 Mar 2009 05:44:24 GMT; TwBBAHUAdABoACAAYQBuAGQAIABIAFQAVABQACAAcAByAG8AeABpAGUAcwA=
x-cr-puzzleid: {CE3737C8-F59E-4982-97CA-91A2FF475A35}
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: [oauth] OAuth and HTTP proxies
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Oauth bof discussion <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2009 05:43:51 -0000
Can someone please review the OAuth spec [1], in particular section 3.3.1.3, to help determine if the way OAuth signs requests is compatible with HTTP proxies? OAuth signs the request URI based on either the content of the Host header or the actual hostname and port used to make the request. It was written with total disregard to proxies and caches. I am trying to find out if it breaks or breaks something else. EHL [1] http://tools.ietf.org/html/draft-hammer-oauth-01
- [oauth] OAuth and HTTP proxies Eran Hammer-Lahav
- Re: [oauth] OAuth and HTTP proxies George Fletcher