Screwtape at
Teaching myself how OAuth 1.0 works by banging my head against pump.io until the headache goes away.
It turns out that although the RFC states that when oauth_signature_method="PLAINTEXT", the oauth_timestamp and oauth_nonce parameters are optional, apparently this is not the case in the Real World.
Also, it seems that OAuth likes things to be double-percent-encoded (so "&" becomes "&" and then "&") for reasons I don't understand. Maybe it doesn't like doing things an odd number of times? Must be hell trying to turn the lights on in the evening.
It turns out that although the RFC states that when oauth_signature_method="PLAINTEXT", the oauth_timestamp and oauth_nonce parameters are optional, apparently this is not the case in the Real World.
Also, it seems that OAuth likes things to be double-percent-encoded (so "&" becomes "&" and then "&") for reasons I don't understand. Maybe it doesn't like doing things an odd number of times? Must be hell trying to turn the lights on in the evening.
Well, double ROT13 is twice as secure as single ROT13, right?
I started writing my own OAuth provider a while ago based on python-openid and found it to be a useful excuse to go have stiff drink instead.
I started writing my own OAuth provider a while ago based on python-openid and found it to be a useful excuse to go have stiff drink instead.
Michael Gratton at 2013-09-17T07:04:05Z
Screwtape likes this.
That's the point where a coder goes "fuck, I'll use a library instead". :(
/usr/share at 2013-09-17T07:08:53Z
Screwtape likes this.
I've just noticed that my double-percent-encoding example seems to have been double-decoded somewhere along the way. Let's see how this goes:
- &
- &
- &
- %26
- %2526
- %252526
- %25252526
- %2525252526