Forum OpenACS Development: Strict RFC 3986 url encoding

Collapse
Posted by Guan Yang on

While implementing client support for OAuth authentication for Twitter, I needed a url encoding procedure that strictly conforms to RFC 3986, which ns_urlencode and ad_urlencode do not. This is necessary for the HMAC signatures used in OAuth. RFC 3986 only has four reserved characters apart from ASCII letters and numbers: _.-~

Here's the code I used, in case anyone else needs it in the future:

    set enc [ns_urlencode $string]
    set enc [string map -nocase {%2d - %5f _ %2e . + %20 %7e ~} $enc]

    # Capitalize
    set map [list]
    foreach {m c} [regexp -all -inline {%([a-f][0-9a-f]|[0-9a-f][a-f])} $enc] {
        if { ![info exists matched($m)] } {
            lappend map $m [string toupper $m]
            set matched($m) ""
        }
    }
    set enc [string map $map $enc]

There's probably a better way of capitalizing the codes.

Collapse
Posted by Dave Bauer on
Hmmm

Reading the RFC

reserved = gen-delims / sub-delims

gen-delims = ":" / "/" / "?" / "#" / "[" / "]" / "@"

sub-delims = "!" / "$" / "&" / "'" / "(" / ")"
/ "*" / "+" / "," / ";" / "="

It looks like all those are reserved.

Do you have a reference to what reserved characters you are referring to?

Thanks
Dave

Collapse
Posted by Guan Yang on
I think I should have said “unreserved characters”. They are in section 2.3:

unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
Collapse
Posted by Dave Bauer on
Ah ok that makes more sense Thanks!!
Collapse
Posted by Dave Bauer on
Hi,

Can you share your OAuth Code?

Collapse
Posted by Steffen Tiedemann Christensen on
Hey Dave,

Are you looking for a client implementation of OAuth 1.0a or for something broader?

(Actually Guan's project ended up in both a server and client side library, so there's something to share at least -- we've just never cleaned it up sufficiently to do so. This would serve as a good opportunity.)

Steffen

Collapse
Posted by Dave Bauer on
Hi,

Any updates on this? Did you ever implement OAuth 2?

Has anyone else implemented OAuth 2 as now required by most services?

Collapse
Posted by Guan Yang on
I haven't seen anything, but OAuth 2 should be much easier because there's no special signature generation required. You just open an HTTPS connection and pass the token.
Collapse
Posted by Gustaf Neumann on
Just a side note to this old thread: NaviServer supports since many years different variants of url-encodings (percent-encodings), such as the classical ones (RFC 3986) or the variants for Cookies (RFC 6265) or the encoding required for oauth1 (RFC 5849). The variant of encoding can be specified via the "-part" option (kept for backwards compatibility).