Hi there,
It seems that there is a mismatch with how the gadgets.io.makeRequest
OpenSocial method (at least as implemented by MySpace) build the oauth
signature and how the oauth gem (0.2.7) do it.
I spent a good time trying to debug where things go differently and it
turns out MySpace only escapes the OAuth consumer key once while the
gem does it twice. Here are the two base strings:
MySpace (reverse-engineered from the oauth_signature):
GET&http%3A%2F%
2Fmy.server.com%2Fos%2Fsweepstakes
%2F2&oauth_consumer_key%3Dhttp%253A%252F%
252Fmy.server.com%252Fos
%252Fsweepstakes%252F1%252Fcontests.xml%26oauth_nonce
%3D633567376700704722%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1221140870%26oauth_version
%3D1.0%26opensocial_owner_id%3Dxxxx%26opensocial_viewer_id%3Dxxxx
OAuth Gem (what signature.signature_base_string returns):
GET&http%3A%2F%
2Fmy.server.com%2Fos%2Fsweepstakes
%2F2&oauth_consumer_key%3Dhttp%25253A%25252F%
25252Fmy.server.com
%25252Fos%25252Fsweepstakes%25252F1%25252Fcontests.xml%26oauth_nonce
%3D633567376700704722%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1221140870%26oauth_version
%3D1.0%26opensocial_owner_id%3Dxxxx%26opensocial_viewer_id%3Dxxxx
Note how the only thing that differs is the consumer key:
http%253A%252F%
252Fmy.server.com%252Fos%252Fsweepstakes
%252F1%252Fcontests.xml
vs
http%25253A%25252F%
25252Fmy.server.com%25252Fos%25252Fsweepstakes
%25252F1%25252Fcontests.xml
The url requested by gadgets.io.makeRequest is:
http://my.server.com/os/sweepstakes/2?oauth_consumer_key=http%3A%2F%2Fmy.server.com%2Fos%2Fsweepstakes%2F1%2Fcontests.xml&oauth_nonce=633567376700704722&oauth_signature=F2KsCyOvJOmd3WsajxuoUVlnha4%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1221140870&oauth_version=1.0&opensocial_owner_id=xxxx&opensocial_viewer_id=xxxx
and the resulting params hash:
Parameters: {"opensocial_viewer_id"=>"xxxx",
"oauth_nonce"=>"633567376700704722", "opensocial_owner_id"=>"xxxx",
"action"=>"index", "oauth_signature_method"=>"HMAC-SHA1",
"controller"=>"os/contests", "oauth_timestamp"=>"1221140870",
"company_id"=>"2", "oauth_consumer_key"=>"
http://my.server.com/os/
sweepstakes/1/contests.xml", "oauth_version"=>"1.0",
"oauth_signature"=>"F2KsCyOvJOmd3WsajxuoUVlnha4="}
So MySpace is (quite correctly afaik) sending the key as escaped, but
the gem then goes and re-escapes it. So my question is, is this a bug
or is MySpace/me doing something wrong there? And since I can't change
how MySpace behaves, is there any other way for me to fix this than
monkey patch the signature_base_string method to unescape the consumer
key before building the base string?
Come to think of it, the oauth_consumer_key parameter seen by Rails
seems to be unescaped ("
http://my.server.com/os/sweepstakes/1/
contests.xml), but it seems that the Request proxy is not using that
but the raw, still escaped form.
The relevant part of the controller (copied from here:
http://developer.myspace.com/Community/forums/p/804/10068.aspx#10068)
below:
CONSUMER_KEY = "
http://my.server.com/os/sweepstakes/1/contests.xml"
CONSUMER_SECRET = "xxxx"
class Os::ContestsController < Os::OpenSocialController
before_filter :oauth_required
private
def oauth_required
consumer = OAuth::Consumer.new(CONSUMER_KEY, CONSUMER_SECRET)
begin
signature = OAuth::Signature.build(request) do
# return the token secret and the consumer secret
[nil, consumer.secret]
end
pass = signature.verify
logger.debug "*** Signature verification returned: #{pass}"
rescue OAuth::Signature::UnknownSignatureMethod => e
logger.error "ERROR"+ e.to_s
end
render :text => "OAuth access denied", :status => :unauthorized
unless pass
end
end
//jarkko