[ANNOUNCE] Fixed OAuth Multipart signatures

65 views
Skip to first unread message

Aaron Gardner

unread,
Jun 30, 2011, 4:48:50 PM6/30/11
to etsy-...@googlegroups.com
Hi all,

We just fixed the API so OAuth calls that make Multipart requests --
usually image uploads -- properly calculate the OAuth signature.

This means the API no longer rejects (with status 403) valid,
properly-signed OAuth Multipart calls.

Specifically, request parameters passed in the body of Multipart OAuth
requests are now excluded from the signature, as per the OAuth 1.0
spec: http://tools.ietf.org/html/rfc5849#section-3.4.1.3

As James mentioned yesterday, if your app needs the old incorrect
signature behavior, you can manually force this to happen by passing
an extra query string parameter "sbs_modified=1". Eventually we will
deprecate this flag.

By default all OAuth calls use the new correct Multipart signature behavior.

Thank you for your patience while we developed and tested this fix.

Best regards,
Aaron Gardner
Developer API Team
Etsy.com


> On Wed, Jun 29, 2011 at 6:22 PM, James Lee <jl...@etsy.com> wrote:
>>
>> Hi All,
>>
>> At this time, we are still working hard to resolve the issue with
>> invalid signatures.  As several have pointed out, we are incorrectly
>> including non-file multipart parameters in the signature, which does
>> not follow the OAuth specification:
>> http://tools.ietf.org/html/rfc5849#section-3.4.1.3
>>
>> As Justin mentioned, we are relying on the PECL OAuth library, which
>> as of version 1.2, released just Monday, still appears to contain this
>> bug.
>>
>> We estimate this may take us an additional two days to resolve.
>> Meanwhile, if it's possible to include the non-file multipart
>> parameters in your signature, you can do so as a temporary work
>> around.  For those that choose to create a temporary work around,
>> please pass an additional GET parameter, "sbs_modified=1" (signature
>> base string modified).  When our fix is deployed, that will allow us
>> to identify modified signatures and to transparently allow them
>> through while fixing calls that are currently failing.
>>
>> Thank you all for your patience.
>>
>> James Lee
>> Developer API Team
>> Etsy.com
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Etsy API V2" group.
>> To post to this group, send email to etsy-...@googlegroups.com.
>> To unsubscribe from this group, send email to
>> etsy-api-v2...@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/etsy-api-v2?hl=en.
>>
>
>
>
> --
> David Olick
> CTO
> Oriku Inc.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Etsy API V2" group.
> To post to this group, send email to etsy-...@googlegroups.com.
> To unsubscribe from this group, send email to
> etsy-api-v2...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/etsy-api-v2?hl=en.
>

Reply all
Reply to author
Forward
0 new messages