Loading Profile...
Can OAuth be used for file upload?
How would I sign a request if it contains a file upload parameter, that in my case could be 100+ MB?
Does the specification (or an extension of it) support specifying parameters that do not need to be part of the signature so the server can ignore them?
Does the specification (or an extension of it) support specifying parameters that do not need to be part of the signature so the server can ignore them?
I’m hopeful
1
person has this question
I have this question, too!
Tell me when someone answers.
The more people who ask this question, the more it gets noticed.
The more people who ask this question, the more it gets noticed.
-
Inappropriate?The spec only specifies signing x-www-url-form-encoded parameters, so multi-part file uploads won't be included in the signature. It sounds like for what you want, the existing libraries will do the trick.
--- You're done unless... ---
If you *do* want to sign the file upload at some later date, the way we generally agree it should be done is:
- Specify a form parameter in your API that gets submitted along with your file upload.
- The value of that parameter should be a hash of the file being uploaded.
- That parameter will be signed along with the other parameters, so when the upload comes in, the server can re-create the hash of the file and verify that it matches the value of the parameter.
- If you also include the file size as a separate parameter, and verify that the size of the uploaded file matches the size specified in the parameters, you can be (reasonably) sure that the file hasn't been modified to exploit weaknesses in the hashing algorithm you're using.
I’m confident
The company and 1 other person say
this answers the question
EMPLOYEE
