If I am using 2-legged OAuth to authorize HTTP requests that contain XML in the body, where do the OAuth parameters go?
Should they be HTTP Headers or should they be form parameters?
If they were form parameters, wouldn't that conflict with the fact that the content is XML?
If they were HTTP Headers, would that violate the OAuth specification?
edit: Should I put them in the actual XML?
Note: 2-legged OAuth simply means it does not need to worry about request tokens, it is just a single call alternative to HTTP Basic authentication... there is incoming data like this:
oauth_consumer_key: dpf43f3p2l4k3l03 oauth_token: (Empty value) oauth_signature_method: HMAC-SHA1 oauth_timestamp: 1191242096 oauth_nonce: kllo9940pd9333jh oauth_version: 1.0
You should put the parameters into the authorization header. OAuth has a spec for it.