Loading Profile...
Is there a resource for the status/compliance of the various code libraries for OAuth?
When researching the issue I reported earlier (http://getsatisfaction.com/oauth/topi...) I tried to go reference the code samples in the code section of the OAuth website and came across all of the libraries with their various incarnations of the signing. For example, I drew up the following explaining how each of the various libraries build the signature base string:
Python:
- endpoint
- normalized request parameters
- http method
- consumer secret
- token secret
Ruby (oauth.rb)
- consumer secret
- consumer key
- token
- token secret
- http method
- endpoint
- normalized request parameters
- nonce
- timestamp
This version seems to be out of sync with the spec, and appears to be superceded by the gem version in the oauth folder underneath the ruby section. Also note that rather than combining each element of the signature base string with an ampersand, this code created key value pairs, url-encoded style, which it then combines with ampersands.
oauth.rb: request_method=GET&request_uri=http://foo.com
the spec's: GET&http://foo.com
Please note i'm not uri encoding the above string.
It seems like this file should removed from the code repo, since it confused me and possibly has confused others.
Ruby (oauth rubygem)
This version seems to match the spec, except for some bugs in the signature classes (hmac_class is self-referential instead of to the concrete implementations, which don't seem to exist).
PHP (OAuth.php in the google code project)
- consumer secret
- consumer key
- token
- token secret
- http method
- endpoint
- normalized request parameters
- timestamp
- nonce
PHP (http://teczno.com/HTTP_Request_Oauth....)
- This matches the spec as far as I can tell
Perl
- This matches the spec as far as I can tell
C#
- This matches the spec as far as I can tell, with the exception that is it doesn't have a facility for signing requests with form bodies
Of the 7 versions I showed here, less than half of them can be used to generate a valid oauth signature at present. Or at least a valid OAuth signature as I understand the spec. Given that, someone coming into the system clean (like me) can get really confused (which I did :)).
That was quite a lot of text before I got to my point, but to me it seems like there should be a page out there on the oauth.net websites that has a up to date status on each of the available code libraries. Such a page would really go a long way to help people no where they should go to learn this spec.
Python:
- endpoint
- normalized request parameters
- http method
- consumer secret
- token secret
Ruby (oauth.rb)
- consumer secret
- consumer key
- token
- token secret
- http method
- endpoint
- normalized request parameters
- nonce
- timestamp
This version seems to be out of sync with the spec, and appears to be superceded by the gem version in the oauth folder underneath the ruby section. Also note that rather than combining each element of the signature base string with an ampersand, this code created key value pairs, url-encoded style, which it then combines with ampersands.
oauth.rb: request_method=GET&request_uri=http://foo.com
the spec's: GET&http://foo.com
Please note i'm not uri encoding the above string.
It seems like this file should removed from the code repo, since it confused me and possibly has confused others.
Ruby (oauth rubygem)
This version seems to match the spec, except for some bugs in the signature classes (hmac_class is self-referential instead of to the concrete implementations, which don't seem to exist).
PHP (OAuth.php in the google code project)
- consumer secret
- consumer key
- token
- token secret
- http method
- endpoint
- normalized request parameters
- timestamp
- nonce
PHP (http://teczno.com/HTTP_Request_Oauth....)
- This matches the spec as far as I can tell
Perl
- This matches the spec as far as I can tell
C#
- This matches the spec as far as I can tell, with the exception that is it doesn't have a facility for signing requests with form bodies
Of the 7 versions I showed here, less than half of them can be used to generate a valid oauth signature at present. Or at least a valid OAuth signature as I understand the spec. Given that, someone coming into the system clean (like me) can get really confused (which I did :)).
That was quite a lot of text before I got to my point, but to me it seems like there should be a page out there on the oauth.net websites that has a up to date status on each of the available code libraries. Such a page would really go a long way to help people no where they should go to learn this spec.
1 person has this question
I have this question, too!
Tell me when someone answers.
The more people who ask this question, the more it gets noticed.
The more people who ask this question, the more it gets noticed.
-
Inappropriate?Hmm, good point. Are you around next week to come hack with us?
-
Inappropriate?What versions of Ruby Code are you referring to?
Where is that rubygem version?
Just concerned now!
Thanks,
Pat. -
Inappropriate?What are you concerned about Pat?
EMPLOYEE
