Michael Stum
Reputation: 180944
What is the idea behind hashing the QueryString in OAuth?
In OAuth 1.0a and 2.0 using MAC Authorization, I need to generate a hash of all the QueryString Parameters, which requires normalization (alphabetical ordering) of them.
I'm trying to understand what this offers from a security perspective over just generating a hash of Secret Key + Nonce + Timestamp?
My guess is that the additional entropy makes it harder to brute force the secret key, but I'm not really sure if that is the case.
Does anyone know what QueryString hashing offers in terms of security on top of simpler hashing?
Upvotes: 4
Views: 82
Answers (1)
Michael Stum
Reputation: 180944
I asked @eranhammer on Twitter and the idea is to protect the URL from tampering.
Upvotes: 1
Related Questions
- OAuth 2.0: why is the access token or temporary code placed in the in the URL fragment (after the #) instead of in the query string?
- OAuth2 with Hash query string, Imgur API
- Are querystring parameters supported in OAuth 2.0 redirect URLs?
- Which params does an OAuth 1.0 server look at?
- OAuth2.0 Implicit Grant flow. Why use url hash fragments?
- authenctication token in a queryString
- What is the purpose of claims request parameter on OAuth 2.0?
- Sending values to OAuth - Header or querystring?
- OAuth2: query string vs. fragment
- How to implement Querystring authentication