- From: George Fletcher <gffletch@aol.com>
- Date: Tue, 10 Mar 2009 15:08:12 +0000
- To: Eran Hammer-Lahav <eran@hueniverse.com>
- CC: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, "oauth@ietf.org" <oauth@ietf.org>
I checked and both Host and Authorization MUST be passed through unchanged by proxies. So from a signature perspective that will work fine for HTTP 1.1 requests (as they require the presence of the Host header). For proxies that accept HTTP 1.0 requests, they SHOULD add the Host header based on the received hostname:port in the proxied URI. Given that the hostname:port values must be normalized before being added to the SBS, this should not break the signature by the downstream service. One issue with OAuth and proxies is that the responses are not signed. So while the request to the "server" is protected, the response from the server is not. This means that all responses are subject to MITM attacks by the proxies. If response signing is added, then proxies can also change the content encoding of the response, so all content "decoding" must be done before processing the entity body to construct the SBS. Thanks, George Eran Hammer-Lahav wrote: > Can someone please review the OAuth spec [1], in particular section 3.3.1.3, to help determine if the way OAuth signs requests is compatible with HTTP proxies? > > OAuth signs the request URI based on either the content of the Host header or the actual hostname and port used to make the request. It was written with total disregard to proxies and caches. I am trying to find out if it breaks or breaks something else. > > EHL > > [1] http://tools.ietf.org/html/draft-hammer-oauth-01 > > _______________________________________________ > oauth mailing list > oauth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
Received on Tuesday, 10 March 2009 15:30:54 UTC