SHA1 is the signature method mentioned in the OAuth 1.0 specification and is the by far most widely used signature method among OAuth API:s.

Our OAuth module instead has SHA512 as default and we're pretty unique to have it that way. Even OAuth 2.0 is only suggested to have SHA256.

To make the OAuth module behaving more in line with the rest of the OAuth world I suggest we change the default signature method for the OAuth 1.0 to be the one mentioned in its specification - SHA1. This should be causing less confusion when trying to consume other API:s as well as when others are trying to consume our API:s.

Any thoughts? Would this be a good or a bad change?

Comments

voxpelli’s picture

voxpelli CreditAttribution: voxpelli commented
Version: 6.x-3.0-beta1 » 6.x-3.0-beta3
Assigned: Unassigned » voxpelli
Priority: Normal » Major
Issue tags: +OAuth 3.x Stable

Need to get this in prior to stable release - if anyone objects, now is the time to say so.

litwol’s picture

litwol CreditAttribution: litwol commented
Status: Active » Reviewed & tested by the community

This have been over a month now. set the new default and lets close this.

voxpelli’s picture

voxpelli CreditAttribution: voxpelli commented
Status: Reviewed & tested by the community » Fixed

Fixed: http://drupalcode.org/project/oauth.git/commit/f84dcc1

Status: Fixed » Closed (fixed)
Issue tags: -OAuth 3.x Stable

Automatically closed -- issue fixed for 2 weeks with no activity.

Issue tags: +OAuth 3.x Stable

Restoring issue tags, see #2125755: System messages removed all issue tags during D7 upgrade.