Oauth1 server support, RSA-SHA1 signature method and important bug fixes #4
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Interesting! I'll try this out sometime, thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request makes changes to allow OAuth1 servers to be implemented using the library (i.e. not just OAuth clients), and implements the RSA-SHA1 signature method.
It also fixes several bugs. The most significant is that it replaced the usage of Uri.encodeComponent with a correct implementation of the percent encoding algorithm from section 3.6 of RFC 5849. When the parameters contained certain characters, it wasn't producing the correct signature base string and therefore didn't produce the correct signatures.
Also, parameters now support multiple values correctly. Previously, it would discard/ignore multiple values with the same parameter name, and produce the wrong signature. Therefore, the requests will be rejected by correctly implemented OAuth1 servers.
Changes
I've tried to keep the changes backward compatible. But this was not possible in some cases.
But most of the changes have been made to the "AuthorizationRequest" class, and that was an internal class - so most users of the library should not be greatly affected. The class used to be called AuthorizatonHeader, but that was not technically correct. The signed parameters do not just come from the header, and OAuth protocol parameters do not have to be transmitted in a HTTP Authorization header. The new name makes more sense for both clients and servers.
Client credentials for RSA-SHA1 was also tricky. The old classes worked for a shared secret, which is the same for both the client and server; but doesn't work when the client must have one type of credentials (RSA private key) and the server must have a different type of credential (RSA public key).
Issues
RSA-SHA1 requires an implementation of RSA. The pointycastle package was used for this.
The problem is, the package is large which makes command line Dart programs take about 2 seconds longer to start up. This is an unnecessary impact on programs that don't use RSA-SHA1.
The problem might not be so bad for Web applications, since Dart's tree-shaking JavaScript compiler might be able to exclude the RSA code, if it doesn't get used (this needs to be checked).
I think a better solution is to refactor the RSA-SHA1 implementation into its own package. But to do this elegantly, breaking changes will be needed for the ClientCredentials and SignatureMethod classes.