Get your own customer support community
 

How to normalize request including GET params and XML body?

The OAuth spec says that request parameters should be normalized. Particularly "9.1.1. Normalize Request Parameters" says that all parameters included in the query string and the body must be sorted and signed. What if the body is XML?

Example: Web app posts a request to G.ho.st API:

POST /soap/someservice HTTP/1.1
Host: api.g.ho.st
Content-length: ...
Cotent-type: ...

<xml>
<param1>value1</param1>
<param2>value2</param2>
...
</xml>
 
sad I’m confused
Inappropriate?
1 person has this question

  • blaine EMPLOYEE
    Inappropriate?
    blaine, Official Rep, replied on August 11, 2008 16:21
    This question was posted a long time ago, but I'll clarify here in case anyone has the same question.

    OAuth only signs x-www-url-form-encoded parameters; if you have a "Content-type:" that is different than that (e.g., "application/xml"), then it won't be signed.

    The reason it was built that way is that different body types might have different requirements for canonicalisation, and we couldn't hope to specify all of those approaches.

    If you're not worried about man-in-the-middle attacks, you don't need to worry about it --- OAuth will just handle the authorization part of the request, and won't guarantee the consistency of the data.

    If you are worried about the consistency of the data, and have a way to hash your XML, you can include a "regular" HTTP parameter (x-www-url-form-encoded) that *will* get signed whose value is the signature of the XML. On the server side, you can check that the value of that parameter is equal to the hash of the XML that you received.

    Alternatively, you can just use SSL to ensure that the XML isn't modified in transit.
     
    happy I’m confident
    Sprite_screen Add a comment Sprite_screen This answers the question
User_default_medium
(Some HTML allowed) Attach-an-image