oltu-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pid <...@pidster.com>
Subject Re: Question about the token secret?
Date Fri, 09 Jul 2010 10:46:49 GMT
On 09/07/2010 11:41, Simone Tripodi wrote:
> Agreed, good catch,
> that means that it has to be added to SignatureMethods methods
> signature, since in client/server we have totally different statuses.
> Something cheated me, thanks for the advice :)

Or leave the signature as is?

Add:
 OAuthRequest.getToken();

and retrieve it from the token, inside SignatureMethod?

 String calculate(OAuthRequest req);

  OAuthToken t = req.getToken();
  String tokenKey = t.getKey();
  String tokenSecret = t.getSecret();

it would just mean the server version has to update the token before
passing it to SignatureMethod.  I think that's neater.


p




> Simo
> 
> http://people.apache.org/~simonetripodi/
> http://www.99soft.org/
> 
> 
> 
> On Fri, Jul 9, 2010 at 12:30 PM, Pid <pid@pidster.com> wrote:
>> On 09/07/2010 11:03, Simone Tripodi wrote:
>>> The token secret (aka secret credential) is required (empty, if not
>>> known) to generate signatures (at least to PLAINTEX and HMAC methods),
>>> so sounds it is currently missing in the SignatureMethod methods
>>> signatures
>>>
>>> OR
>>>
>>> has to be added in the OAuthRequest ???
>>
>> Yes - we'll need it somewhere.
>>
>> Maybe the request could have an OAuthToken getToken() method and we'll
>> store the token component(s) separately from the other values?
>>
>> In client mode it would be available in the token.
>>
>> In server mode we'd have to look it up from the TokenStorage, using the
>> key supplied in the request and update the token before passing it to
>> SignatureMethod.
>>
>>
>> p
>>
>>> I'd suggest for the second option, WDYT?
>>>
>>> Thanks in advance, have a nice day!
>>> Simo
>>>
>>> http://people.apache.org/~simonetripodi/
>>> http://www.99soft.org/
>>
>>
>>



Mime
View raw message