oauth_token_secret is sent in the URI/Headers

[GoogleCodeExporter]

Using the latest source in TRUNK.

When accessing a protected resource the library sends the
oauth_token_secret in the URI, or in the case of header based
authentication its sends it in the header.

oauth_token_secret should not be included in any requests to the provider
[1], this data is sensitive, and in the case of desktop applications where
the consumer secret is not secure it would allow an attacker to obtain
access to protected resources.

--- OAuth HTTP Request with the library ---
GET /statuses/friends_timeline.xml?count=50&since_id=1 HTTP/1.1
Authorization: OAuth
oauth_token="10471832-XMtqq0fl5bpFI5aiJjeopon4QpL9jcwRBwspyf...",oauth_token_sec
ret="vAwMlDtkbtkjxjtZhz8x3ngw4Vk3ZmvpHDAhVuMw",oauth_nonce="ac4cdbe3-98db-4017-a
9b3-e62ceb5eaf17",oauth_consumer_key="OxuuZnHZuTr6ZxjrL3yzQ",oauth_signature_met
hod="HMAC-SHA1",oauth_timestamp="1237476772",oauth_version="1.0",oauth_signature
="j29o0oSQhwW5yel7Vb9L7AeI8ks%3D"
Host: twitter.com
Connection: Keep-Alive
--- End of Request ---

I worked around this by editing line 235 and line 291 of OAuthContext.cs to
exclude Parameters.OAuth_Token_Secret:
AuthorizationHeaderParameters.ToQueryParameters().Where(q => q.Key !=
Parameters.Realm && q.Key != Parameters.OAuth_Token_Secret)

1. http://oauth.net/core/1.0/#anchor13

Original issue reported on code.google.com by j...@6bit.com on 19 Mar 2009 at 7:55

[GoogleCodeExporter]

This is a MAJOR flaw if this is valid. Are there truly no good or even working 
.Net
implementation of OAuth?

Original comment by kvnsmo...@gmail.com on 21 Apr 2009 at 2:42

[GoogleCodeExporter]

This issue was resolved a while ago, though the use of the method call: 
AuthorizationHeaderParameters.ToQueryParametersExcludingTokenSecret();

Original comment by bitterco...@gmail.com on 6 Apr 2010 at 8:03

• Changed state: Fixed