[Prev] Thread [Next]  |  [Prev] Date [Next]

Re: UTF-8 re-encodings (was Re: [oauth] Re: OAuth Core 1.0 "Editor's Cut") Zhihong Mon Mar 16 11:03:15 2009

You are correct. Just looked at the code again and it does seem to
sort the parameters correctly. I missed the magic in URLEncoder.

I will find out why my testcase fails and get back to you if I find
any issues.


On Mar 15, 4:06 pm, [EMAIL PROTECTED] wrote:
> Once we clarify sorting, let's add some test cases 
> tohttp://wiki.oauth.net/TestCases
> Sorting was ably discussed 
> inhttp://groups.google.com/group/oauth/browse_thread/thread/7c698004be0...
> One must percent encode the parameter names and values and then sort
> their encoded form.  This is different from the order of the data
> before percent encoding.  For example, {} comes before AB, because the
> percent encoding of {} is %7B%7D, which comes before AB (the percent
> encoding of AB).
> The Java library encodes characters to UTF-8, and percent-encodes
> before sorting.  At the end it sorts by Unicode, but don't be fooled:
> it's not sorting the original data.
> Forbidding repeated parameter names would be a significant change from
> OAuth 1.0.  It's too late for such a change, I think.
> On Mar 11, 7:50 am, Zhihong <[EMAIL PROTECTED]> wrote:
> > Regarding character encoding, current spec sounds good but it's really
> > hard to implement. The fact is that all the OAuth libraries we use are
> > non compliant.
> > Java library sorts on UTF-16BE. The PHP one is messy, it probably
> > sorts on the octet stream of whatever encoding defined by setlocale.
> > The sorting is a tough issue no matter what you do. If you sort on
> > octet stream, you have to bypass most web frameworks to get it. If you
> > sort on a specific encoding, it's not readily convertible on some
> > platforms. Sometimes, OAuth just doesn't know what encoding it is.
> > OAuth should stay out the multi-byte collation mess. We achieve this
> > by adding following restrictions to OAuth spec,
> >   1. Parameter name must be ASCII.
> >   2. Duplicate parameters are not allowed.
> > Even without OAuth, these 2 restrictions are good practices for any
> > web protocols. Our product is for Chinese market, I haven't seen
> > anyone use non-ASCII names in parameter names.
> > So I think these restrictions should be added in OAuth, at least as
> > recommendations.
You received this message because you are subscribed to the Google Groups 
"OAuth" group.
To post to this group, send email to [EMAIL PROTECTED]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/oauth?hl=en