I'm creating a oAuth protocol library on ASP.NET MVC and I've found something that surprised me.
In the oAuth authentication dance, you have to send often url encoded strings to a remote server in order to get authorization from users of that server into your app. For obvious security reasons, those strings had to be signed using a hashing algorithm (usually HMAC-SHA1).
Into these strings comes the url-encoded http petition to the target url on the remote server, and here comes the problem. I've checked that HttpUtility.UrlEncode returns the url encoded entities on lowercase. I mean, if your url includes "=", it will be transformed into "%3d".
Usually, this shouldn't be a problem, but, when I sign my encoded url with HMAC-SHA1 the result obviously varies from %3d to %3D, and I've found that several servers (linkedIn for example) expect into the request mades to it's servers that the url encoding had been made with uppercase.
As a result of this, the signed hashed string that I send doesn't match with the one that the server expects (due to characters being on lowercase on source and uppercase on destination) and the authorization dance stops with an error.
I've fixed this with some very unelegant replaces into the string before making the signing, as I can't simply turn all my string into uppercase, but I'm wondering if ASP.NET would provide me a smoother way to turn that url encoded entities to uppercase.