diff options
author | Jordan <ngoue@users.noreply.github.com> | 2018-08-30 10:03:56 -0600 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-08-30 10:03:56 -0600 |
commit | a839bc209c28721ff10bc3b55e065ab7e0a84931 (patch) | |
tree | 2d7660a0e367a7576b1a891c14ec79975061ac78 /docs | |
parent | f3d3eb9efd81459be48b052e172ffa5f76a7a445 (diff) | |
download | oauthlib-a839bc209c28721ff10bc3b55e065ab7e0a84931.tar.gz |
Mention `oauth_body_hash` in OAuth1 client docs
While the previous documentation was not wrong in that non-formencoded data are not included in the signature for traditional OAuth1 service providers, the library does still include an `oauth_body_hash` for non-formencoded data.
Update the documentation to include mention of the `oauth_body_hash` with a notice that validation of said parameter may not be supported by all service providers, but will nevertheless provide an additional integrity check for those that do support it.
Diffstat (limited to 'docs')
-rw-r--r-- | docs/oauth1/client.rst | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/docs/oauth1/client.rst b/docs/oauth1/client.rst index 741374e..ec6bdd7 100644 --- a/docs/oauth1/client.rst +++ b/docs/oauth1/client.rst @@ -52,15 +52,23 @@ Using the Client **Request body** The OAuth 1 spec only covers signing of x-www-url-formencoded information. - If you are sending some other kind of data in the body (say, multipart file - uploads), these don't count as a body for the purposes of signing. Don't - provide the body to Client.sign() if it isn't x-www-url-formencoded data. For convenience, you can pass body data in one of three ways: * a dictionary * an iterable of 2-tuples * a properly-formatted x-www-url-formencoded string + + If you are sending some other kind of data in the body, an additional + `oauth_body_hash` parameter will be included with the request. This parameter + provides an integrity check on non-formencoded request bodies. + + *IMPORTANT* This extension is forward compatible: Service Providers that + have not implemented this extension can verify requests sent by Consumers + that have implemented this extension. If the Service Provider implements + this specification the integrity of the body is guaranteed. If the + Service Provider does not check body signatures, the remainder of the + request will still validate using the OAuth Core signature algorithm. **RSA Signatures** |