If I am using 2-legged OAuth to authorize HTTP requests that contain XML in the body, where do the OAuth parameters go?

Should they be HTTP Headers or should they be form parameters?

If they were form parameters, wouldn't that conflict with the fact that the content is XML?

If they were HTTP Headers, would that violate the OAuth specification?

edit: Should I put them in the actual XML?

Note: 2-legged OA开发者_开发技巧uth simply means it does not need to worry about request tokens, it is just a single call alternative to HTTP Basic authentication... there is incoming data like this:

 oauth_consumer_key:
        dpf43f3p2l4k3l03 
    oauth_token:
        (Empty value) 
    oauth_signature_method:
        HMAC-SHA1 
    oauth_timestamp:
        1191242096 
    oauth_nonce:
        kllo9940pd9333jh 
    oauth_version:
        1.0 

You should put the parameters into the authorization header. OAuth has a spec for it.