MySpace OpenSocial requests fail with the oauth gem
8 views
Skip to first unread message
Jarkko Laine
Sep 11, 2008, 10:27:41 AM9/11/08
to oauth-ruby
Hi there,
It seems that there is a mismatch with how the gadgets.io.makeRequest
OpenSocial method (at least as implemented by MySpace) build the oauth
signature and how the oauth gem (0.2.7) do it.
I spent a good time trying to debug where things go differently and it
turns out MySpace only escapes the OAuth consumer key once while the
gem does it twice. Here are the two base strings:
MySpace (reverse-engineered from the oauth_signature):
GET&http%3A%2F%2Fmy.server.com%2Fos%2Fsweepstakes
%2F2&oauth_consumer_key%3Dhttp%253A%252F%252Fmy.server.com%252Fos
%252Fsweepstakes%252F1%252Fcontests.xml%26oauth_nonce
%3D633567376700704722%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1221140870%26oauth_version
%3D1.0%26opensocial_owner_id%3Dxxxx%26opensocial_viewer_id%3Dxxxx
OAuth Gem (what signature.signature_base_string returns):
GET&http%3A%2F%2Fmy.server.com%2Fos%2Fsweepstakes
%2F2&oauth_consumer_key%3Dhttp%25253A%25252F%25252Fmy.server.com
%25252Fos%25252Fsweepstakes%25252F1%25252Fcontests.xml%26oauth_nonce
%3D633567376700704722%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1221140870%26oauth_version
%3D1.0%26opensocial_owner_id%3Dxxxx%26opensocial_viewer_id%3Dxxxx
Note how the only thing that differs is the consumer key:
http%253A%252F%252Fmy.server.com%252Fos%252Fsweepstakes
%252F1%252Fcontests.xml
vs
http%25253A%25252F%25252Fmy.server.com%25252Fos%25252Fsweepstakes
%25252F1%25252Fcontests.xml
The url requested by gadgets.io.makeRequest is:
http://my.server.com/os/sweepstakes/2?oauth_consumer_key=http%3A%2F%2Fmy.server.com%2Fos%2Fsweepstakes%2F1%2Fcontests.xml&oauth_nonce=633567376700704722&oauth_signature=F2KsCyOvJOmd3WsajxuoUVlnha4%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1221140870&oauth_version=1.0&opensocial_owner_id=xxxx&opensocial_viewer_id=xxxx
and the resulting params hash:
Parameters: {"opensocial_viewer_id"=>"xxxx",
"oauth_nonce"=>"633567376700704722", "opensocial_owner_id"=>"xxxx",
"action"=>"index", "oauth_signature_method"=>"HMAC-SHA1",
"controller"=>"os/contests", "oauth_timestamp"=>"1221140870",
"company_id"=>"2", "oauth_consumer_key"=>"http://my.server.com/os/
sweepstakes/1/contests.xml", "oauth_version"=>"1.0",
"oauth_signature"=>"F2KsCyOvJOmd3WsajxuoUVlnha4="}
So MySpace is (quite correctly afaik) sending the key as escaped, but
the gem then goes and re-escapes it. So my question is, is this a bug
or is MySpace/me doing something wrong there? And since I can't change
how MySpace behaves, is there any other way for me to fix this than
monkey patch the signature_base_string method to unescape the consumer
key before building the base string?
Come to think of it, the oauth_consumer_key parameter seen by Rails
seems to be unescaped ("http://my.server.com/os/sweepstakes/1/
contests.xml), but it seems that the Request proxy is not using that
but the raw, still escaped form.
The relevant part of the controller (copied from here:
http://developer.myspace.com/Community/forums/p/804/10068.aspx#10068)
below:
CONSUMER_KEY = "http://my.server.com/os/sweepstakes/1/contests.xml"
CONSUMER_SECRET = "xxxx"
class Os::ContestsController < Os::OpenSocialController
before_filter :oauth_required
private
def oauth_required
consumer = OAuth::Consumer.new(CONSUMER_KEY, CONSUMER_SECRET)
begin
signature = OAuth::Signature.build(request) do
# return the token secret and the consumer secret
[nil, consumer.secret]
end
pass = signature.verify
logger.debug "*** Signature verification returned: #{pass}"
rescue OAuth::Signature::UnknownSignatureMethod => e
logger.error "ERROR"+ e.to_s
end
render :text => "OAuth access denied", :status => :unauthorized
unless pass
end
end
//jarkko
It seems that there is a mismatch with how the gadgets.io.makeRequest
OpenSocial method (at least as implemented by MySpace) build the oauth
signature and how the oauth gem (0.2.7) do it.
I spent a good time trying to debug where things go differently and it
turns out MySpace only escapes the OAuth consumer key once while the
gem does it twice. Here are the two base strings:
MySpace (reverse-engineered from the oauth_signature):
GET&http%3A%2F%2Fmy.server.com%2Fos%2Fsweepstakes
%2F2&oauth_consumer_key%3Dhttp%253A%252F%252Fmy.server.com%252Fos
%252Fsweepstakes%252F1%252Fcontests.xml%26oauth_nonce
%3D633567376700704722%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1221140870%26oauth_version
%3D1.0%26opensocial_owner_id%3Dxxxx%26opensocial_viewer_id%3Dxxxx
OAuth Gem (what signature.signature_base_string returns):
GET&http%3A%2F%2Fmy.server.com%2Fos%2Fsweepstakes
%2F2&oauth_consumer_key%3Dhttp%25253A%25252F%25252Fmy.server.com
%25252Fos%25252Fsweepstakes%25252F1%25252Fcontests.xml%26oauth_nonce
%3D633567376700704722%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1221140870%26oauth_version
%3D1.0%26opensocial_owner_id%3Dxxxx%26opensocial_viewer_id%3Dxxxx
Note how the only thing that differs is the consumer key:
http%253A%252F%252Fmy.server.com%252Fos%252Fsweepstakes
%252F1%252Fcontests.xml
vs
http%25253A%25252F%25252Fmy.server.com%25252Fos%25252Fsweepstakes
%25252F1%25252Fcontests.xml
The url requested by gadgets.io.makeRequest is:
http://my.server.com/os/sweepstakes/2?oauth_consumer_key=http%3A%2F%2Fmy.server.com%2Fos%2Fsweepstakes%2F1%2Fcontests.xml&oauth_nonce=633567376700704722&oauth_signature=F2KsCyOvJOmd3WsajxuoUVlnha4%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1221140870&oauth_version=1.0&opensocial_owner_id=xxxx&opensocial_viewer_id=xxxx
and the resulting params hash:
Parameters: {"opensocial_viewer_id"=>"xxxx",
"oauth_nonce"=>"633567376700704722", "opensocial_owner_id"=>"xxxx",
"action"=>"index", "oauth_signature_method"=>"HMAC-SHA1",
"controller"=>"os/contests", "oauth_timestamp"=>"1221140870",
"company_id"=>"2", "oauth_consumer_key"=>"http://my.server.com/os/
sweepstakes/1/contests.xml", "oauth_version"=>"1.0",
"oauth_signature"=>"F2KsCyOvJOmd3WsajxuoUVlnha4="}
So MySpace is (quite correctly afaik) sending the key as escaped, but
the gem then goes and re-escapes it. So my question is, is this a bug
or is MySpace/me doing something wrong there? And since I can't change
how MySpace behaves, is there any other way for me to fix this than
monkey patch the signature_base_string method to unescape the consumer
key before building the base string?
Come to think of it, the oauth_consumer_key parameter seen by Rails
seems to be unescaped ("http://my.server.com/os/sweepstakes/1/
contests.xml), but it seems that the Request proxy is not using that
but the raw, still escaped form.
The relevant part of the controller (copied from here:
http://developer.myspace.com/Community/forums/p/804/10068.aspx#10068)
below:
CONSUMER_KEY = "http://my.server.com/os/sweepstakes/1/contests.xml"
CONSUMER_SECRET = "xxxx"
class Os::ContestsController < Os::OpenSocialController
before_filter :oauth_required
private
def oauth_required
consumer = OAuth::Consumer.new(CONSUMER_KEY, CONSUMER_SECRET)
begin
signature = OAuth::Signature.build(request) do
# return the token secret and the consumer secret
[nil, consumer.secret]
end
pass = signature.verify
logger.debug "*** Signature verification returned: #{pass}"
rescue OAuth::Signature::UnknownSignatureMethod => e
logger.error "ERROR"+ e.to_s
end
render :text => "OAuth access denied", :status => :unauthorized
unless pass
end
end
//jarkko
philip
Sep 11, 2008, 1:58:23 PM9/11/08
to oauth-ruby
Take a look at http://github.com/robinluckey/oauth/commit/abde6f3fab1b2b472deede789321e4f3f96401c6
Maybe that fix by Robin Luckey works here? I don't use it, but just
to see whether it helps at all: based on your and his descriptions
there, maybe there is a match. And if this use case validates that
fix, it would help Pelle in merging that next time around.
> The url requested by gadgets.io.makeRequest is:http://my.server.com/os/sweepstakes/2?oauth_consumer_key=http%3A%2F%2...
Maybe that fix by Robin Luckey works here? I don't use it, but just
to see whether it helps at all: based on your and his descriptions
there, maybe there is a match. And if this use case validates that
fix, it would help Pelle in merging that next time around.
Jarkko Laine
Sep 16, 2008, 9:07:27 AM9/16/08
to oauth...@googlegroups.com
On 11.9.2008, at 20.58, philip wrote:
>
> Take a look at http://github.com/robinluckey/oauth/commit/abde6f3fab1b2b472deede789321e4f3f96401c6
> Maybe that fix by Robin Luckey works here? I don't use it, but just
> to see whether it helps at all: based on your and his descriptions
> there, maybe there is a match. And if this use case validates that
> fix, it would help Pelle in merging that next time around.
Yep, it definitely solved my problem.
Cheers,
//jarkko
--
Jarkko Laine
http://jlaine.net
http://dotherightthing.com
http://www.railsecommerce.com
http://odesign.fi
Michael Christoff
Oct 31, 2008, 7:16:18 AM10/31/08
to oauth-ruby
I just monkey patched the same issue. Is there any reason not to merge
this into the master?
On Sep 16, 6:07 am, Jarkko Laine <jar...@jlaine.net> wrote:
> On 11.9.2008, at 20.58, philip wrote:
>
>
>
> > Take a look athttp://github.com/robinluckey/oauth/commit/abde6f3fab1b2b472deede7893...
this into the master?
On Sep 16, 6:07 am, Jarkko Laine <jar...@jlaine.net> wrote:
> On 11.9.2008, at 20.58, philip wrote:
>
>
>
Reply all
Reply to author
Forward
0 new messages