search

Kong / mashape-oauth

OAuth Modules for Node.js - Supporting RSA, HMAC, PLAINTEXT, 2,3-Legged, 1.0a, Echo, XAuth, and 2.0
http://oauthbible.com
MIT License
1.77k stars 186 forks source link

support oauth_body_hash extension #13

Closed lifecube closed 9 years ago

lifecube commented 9 years ago

According to OAuth 1.0 Core specification [1] the integrity of http request body is only guaranteed when application/x-www-form-urlencoded is used. Support for integrity checks of http request bodies with other types of encoding is covered by 'OAuth Request Body Hash' extension [2]. According to part 4.1.1 [3] of the extension specification, the extended behaviour is not required.

[1] http://oauth.net/core/1.0a/ [2] http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/oauth-bodyhash.html#anchor7 [3] http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/oauth-bodyhash.html#when_to_include

nijikokun commented 9 years ago

4 Sign the request as per [OAuth Core 1.0] section 9. The oauth_body_hash parameter MUST be included in the Signature Base String together with the other request parameters.

Seems to say that the other parameters should be present as well when signing.

Just from a quick glance.

lifecube commented 9 years ago

I think what they said is URL GET parameters, not the parameters in the body.

  • OAuth Consumers MUST NOT include an oauth_body_hash parameter on requests with form-encoded request bodies.
  • OAuth Consumers SHOULD include the oauth_body_hash parameter on all other requests.

The presence or absence of the oauth_body_hash parameter is used to indicate to Service Providers how they should check the integrity of the request body. If no oauth_body_hash parameter is present, that indicates that the request body is form-encoded and signed using the OAuth Core signature algorithm. If the oauth_body_hash parameter is present, the body is signed according to this extension. Including an oauth_body_hash on form-encoded requests would make it impossible for Service Providers to determine which body signing mechanism was used for the request. This ambiguity would, in turn, allow the attack described in Appendix D.

What I can give you the real example is MasterCard Open API which includes url parameters along with xml formated body content.

You will see the OAuth signature base string will be different as what they expected if you don't omit the body.

lifecube commented 9 years ago

Also you can see from OAuth Core 1.0

The request parameters are collected, sorted and concatenated into a normalized string:

  • Parameters in the OAuth HTTP Authorization header excluding the realm parameter.
  • Parameters in the HTTP POST request body (with a content-type of application/x-www-form-urlencoded).
  • HTTP GET parameters added to the URLs in the query part (as defined by [RFC3986] section 3).

The oauth_signature parameter MUST be excluded.

The changes shift the liability to developers, who need to provide correctly the oauth_body_hash.

But actually, if the post request body is not application/x-www-form-urlencoded, all the body should be omit from signature base string.

nijikokun commented 9 years ago

But actually, if the post request body is not application/x-www-form-urlencoded, all the body should be omit from signature base string.

You're right, I forgot to update my comment earlier, had just woke up.