There’s a great discussion taking place on the OAuth list around how to make it easier to deploy. It was started with a post by Kent Brewster lamenting the problems he ran into. His post is a fun read, I’ve only snipped the top-level bullets:
- My Timestamp was Stale
- The Parameters in my Signature Base String were Out of Alphabetical Order
- I Forgot a Question-Mark between my Request and my OAuth Payload
- I Didn’t URL-Encode my Signature
- I Didn’t URL-Encode All Illegal Characters
- I URL-Encoded the Ampersands Separating my Method, URL, and Request Parameters
- I Didn’t Append an Ampersand to my Consumer Secret to Make my Signature Key
- I Used the Same Nonce, Over and Over and Over Again
- I Generated a Random Nonce, but (you guessed it) Failed to URL-Encode It
- And, Finally: I URL-Encoded my Signature Key
That post sparked a note by Chris Messina asking others if their experience is similar. What follows, then, is a useful thread on what might help make it easier for others.
The reason I find this interesting? Because, IMO, focus on this type of work is what will help move the ball forward. Whether it’s OAuth, OpenID, SAML, InfoCards, or whatever, these are solutions that interface with real people doing real code. The easier the deployment, the fewer mistakes and more time to focus on security over sytax, etc.
…and happier coders. 
April 28th, 2009 | 
