I'm hacking at getting OAuth to work with AtomPub and can't get over a
snag : to add posts with AtomPub one must POST raw XML - which means
the query-varsPOST version of OAuth is out. It is a POST request, so
the query-varsGET method is out, and I'm on shared hosting (read: php
as CGI) so Authorization headers are out. What I'm wondering is if
there isn't some way to put the OAuth data in the GET string on a POST
request and not break the spec? Making the code support it would be
trivial.
On Sat, May 17, 2008 at 7:16 AM, Singpolyma <singpol...@gmail.com> wrote: > I'm hacking at getting OAuth to work with AtomPub and can't get over a > snag : to add posts with AtomPub one must POST raw XML - which means > the query-varsPOST version of OAuth is out. It is a POST request, so > the query-varsGET method is out, and I'm on shared hosting (read: php > as CGI) so Authorization headers are out. What I'm wondering is if > there isn't some way to put the OAuth data in the GET string on a POST > request and not break the spec? Making the code support it would be > trivial.
That sounds entirely reasonable to me.
Are you signing the raw XML body? There's been some discussion about various algorithms to do that, they all sound fine, we just need to pick one.
> On Sat, May 17, 2008 at 7:16 AM, Singpolyma <singpol...@gmail.com> wrote:
> > I'm hacking at getting OAuth to work with AtomPub and can't get over a
> > snag : to add posts with AtomPub one must POST raw XML - which means
> > the query-varsPOST version of OAuth is out. It is a POST request, so
> > the query-varsGET method is out, and I'm on shared hosting (read: php
> > as CGI) so Authorization headers are out. What I'm wondering is if
> > there isn't some way to put the OAuth data in the GET string on a POST
> > request and not break the spec? Making the code support it would be
> > trivial.
> That sounds entirely reasonable to me.
> Are you signing the raw XML body? There's been some discussion about
> various algorithms to do that, they all sound fine, we just need to
> pick one.
Besides using the xoauth_body_signature method, the xoauth and oauth
vars can just be part of the query string.
From the OAuth spec:
5.2. Consumer Request Parameters
OAuth Protocol Parameters are sent from the Consumer to the Service
Provider in one of three methods, in order of decreasing preference:
In the HTTP Authorization header as defined in OAuth HTTP
Authorization Scheme.
As the HTTP POST request body with a content-type of application/x-www-
form-urlencoded.
Added to the URLs in the query part (as defined by [RFC3986] section
3).
- Marc Worrell
On May 17, 4:16 pm, Singpolyma <singpol...@gmail.com> wrote:
> I'm hacking at getting OAuth to work with AtomPub and can't get over a
> snag : to add posts with AtomPub one must POST raw XML - which means
> the query-varsPOST version of OAuth is out. It is a POST request, so
> the query-varsGET method is out, and I'm on shared hosting (read: php
> as CGI) so Authorization headers are out. What I'm wondering is if
> there isn't some way to put the OAuth data in the GET string on a POST
> request and not break the spec? Making the code support it would be
> trivial.
On May 17, 12:18 pm, Marc Worrell <ma...@pobox.com> wrote:
> Besides using the xoauth_body_signature method, the xoauth and oauth
> vars can just be part of the query string.
This is what I want to do, but the spec seems to suggest that if
request type is POST that using the query string is not allowed? I'm
not sure I understand the xoauth_body_signature method - where does
the data go ?
> OAuth Protocol Parameters are sent from the Consumer to the Service
> Provider in one of three methods, in order of decreasing preference:
> In the HTTP Authorization header as defined in OAuth HTTP
> Authorization Scheme.
> As the HTTP POST request body with a content-type of application/x-www-
> form-urlencoded.
> Added to the URLs in the query part (as defined by [RFC3986] section
> 3).
> - Marc Worrell
> On May 17, 4:16 pm, Singpolyma <singpol...@gmail.com> wrote:
> > I'm hacking at getting OAuth to work with AtomPub and can't get over a
> > snag : to add posts with AtomPub one must POST raw XML - which means
> > the query-varsPOST version of OAuth is out. It is a POST request, so
> > the query-varsGET method is out, and I'm on shared hosting (read: php
> > as CGI) so Authorization headers are out. What I'm wondering is if
> > there isn't some way to put the OAuth data in the GET string on a POST
> > request and not break the spec? Making the code support it would be
> > trivial.
On May 17, 11:34 pm, Singpolyma <singpol...@gmail.com> wrote:
> This is what I want to do, but the spec seems to suggest that if
> request type is POST that using the query string is not allowed? I'm
> not sure I understand the xoauth_body_signature method - where does
> the data go ?
A lot of people would assume that you can't use the query string when
you are using POST (or PUT)
But that is not true, the query string is a valid part of the uri, and
as such you can always use it.
The xoauth_body_signature is the checksum of the http body being sent
(in your case the XML).
The xoauth_body_signature is handled just like the other oauth_xxxx,
add them together with the query/post variables and sign it the normal
way.
Make sure that the content-type is correctly set (in your case
application/xml) then it should work nicely.
