oauth flow ignoring oauth_callback?
842 views
Skip to first unread message
Travis Vachon
Jul 21, 2011, 9:20:51 PM7/21/11
to Tumblr API Discussion
Hi there
I'm using omniauth to connect to tumblr in my app, and can't seem to
get tumblr to respect the value of oauth_callback I'm passing when I
get a request token. The request token request/response looks like:
<- "POST /oauth/request_token HTTP/1.1\r\nAccept: */*\r\nUser-Agent:
OAuth gem v0.4.5\r\nContent-Length: 0\r\nAuthorization: OAuth
oauth_body_hash=\"2jmj7l5rSw0yVb%2FvlWAYkK%2FYBwk%3D\", oauth_callback=
\"http%3A%2F%2Flocal.copious.com%3A3000%2Fauth%2Ftumblr%2Fcallback\",
oauth_consumer_key=\"key\", oauth_nonce=\"nonce\", oauth_signature=
\"sig\", oauth_signature_method=\"HMAC-SHA1\", oauth_timestamp=
\"1311296463\", oauth_version=\"1.0\"\r\nConnection: close\r\nHost:
www.tumblr.com\r\n\r\n"
-> "HTTP/1.1 200 OK\r\n"
-> "Date: Fri, 22 Jul 2011 01:01:03 GMT\r\n"
-> "Server: Apache\r\n"
-> "P3P: CP=\"ALL ADM DEV PSAi COM OUR OTRo STP IND ONL\"\r\n"
-> "Vary: Accept-Encoding\r\n"
-> "X-Tumblr-Usec: D=31950\r\n"
-> "Content-Length: 162\r\n"
-> "Connection: close\r\n"
-> "Content-Type: application/x-www-form-urlencoded\r\n"
-> "\r\n"
reading 162 bytes...
->
"oauth_token=thetokenIgetback&oauth_token_secret=thesecretIgetback&oauth_callback_confirmed=true"
The key bits are the oauth callback:
oauth_callback=\"http%3A%2F%2Flocal.copious.com%3A3000%2Fauth%2Ftumblr
%2Fcallback\"
and the confirmation:
oauth_callback_confirmed=true
Despite this, however, the response to the authorize call is always a
redirect to the default callback url I've configured in my tumblr
application:
http://www.tumblr.com/oauth/authorize?oauth_token=thetokenIgetback
302 blah blah
Location http://copious.com/auth/tumblr/callback?oauth_token=thetokenIgetback&oauth_verifier=averifier
Is this a known issue? FWIW, the twitter oauth api seems do the right
thing, and the request/response chain seems to be about the same
otherwise.
Thanks! Let me know if I can provide any more information.
Travis
I'm using omniauth to connect to tumblr in my app, and can't seem to
get tumblr to respect the value of oauth_callback I'm passing when I
get a request token. The request token request/response looks like:
<- "POST /oauth/request_token HTTP/1.1\r\nAccept: */*\r\nUser-Agent:
OAuth gem v0.4.5\r\nContent-Length: 0\r\nAuthorization: OAuth
oauth_body_hash=\"2jmj7l5rSw0yVb%2FvlWAYkK%2FYBwk%3D\", oauth_callback=
\"http%3A%2F%2Flocal.copious.com%3A3000%2Fauth%2Ftumblr%2Fcallback\",
oauth_consumer_key=\"key\", oauth_nonce=\"nonce\", oauth_signature=
\"sig\", oauth_signature_method=\"HMAC-SHA1\", oauth_timestamp=
\"1311296463\", oauth_version=\"1.0\"\r\nConnection: close\r\nHost:
www.tumblr.com\r\n\r\n"
-> "HTTP/1.1 200 OK\r\n"
-> "Date: Fri, 22 Jul 2011 01:01:03 GMT\r\n"
-> "Server: Apache\r\n"
-> "P3P: CP=\"ALL ADM DEV PSAi COM OUR OTRo STP IND ONL\"\r\n"
-> "Vary: Accept-Encoding\r\n"
-> "X-Tumblr-Usec: D=31950\r\n"
-> "Content-Length: 162\r\n"
-> "Connection: close\r\n"
-> "Content-Type: application/x-www-form-urlencoded\r\n"
-> "\r\n"
reading 162 bytes...
->
"oauth_token=thetokenIgetback&oauth_token_secret=thesecretIgetback&oauth_callback_confirmed=true"
The key bits are the oauth callback:
oauth_callback=\"http%3A%2F%2Flocal.copious.com%3A3000%2Fauth%2Ftumblr
%2Fcallback\"
and the confirmation:
oauth_callback_confirmed=true
Despite this, however, the response to the authorize call is always a
redirect to the default callback url I've configured in my tumblr
application:
http://www.tumblr.com/oauth/authorize?oauth_token=thetokenIgetback
302 blah blah
Location http://copious.com/auth/tumblr/callback?oauth_token=thetokenIgetback&oauth_verifier=averifier
Is this a known issue? FWIW, the twitter oauth api seems do the right
thing, and the request/response chain seems to be about the same
otherwise.
Thanks! Let me know if I can provide any more information.
Travis
Dennis Rybalchenko
Jul 24, 2011, 2:50:19 PM7/24/11
to Tumblr API Discussion
Hello.
It seems that it is common issue for now. I also can not get redirect
where i need, it only redirects to the default url, though i always
get oauth_callback_confirmed=true .
It needs some clarification from Tumblr guys.
> Location http://copious.com/auth/tumblr/callback?oauth_token=thetokenIgetback&...
It seems that it is common issue for now. I also can not get redirect
where i need, it only redirects to the default url, though i always
get oauth_callback_confirmed=true .
It needs some clarification from Tumblr guys.
jesse
Jul 26, 2011, 12:25:16 PM7/26/11
to Tumblr API Discussion
For what it's worth, I've run into this with other APIs (FB springs to
mind, although it may be fixed now).
What I generally do is throw the user's current page on my site into a
cookie and then have my bounceback page read the cookie and send the
user back to where they were. Sometimes it doesn't make sense to do it
(like they came from a page that doesn't make any sense once the user
is "connected"), so your particular logic might be more complex, but
it works. It also keeps it in your control rather than dealing with
the external dependency at all.
On Jul 24, 2:50 pm, Dennis Rybalchenko <sauronfromli...@gmail.com>
wrote:
mind, although it may be fixed now).
What I generally do is throw the user's current page on my site into a
cookie and then have my bounceback page read the cookie and send the
user back to where they were. Sometimes it doesn't make sense to do it
(like they came from a page that doesn't make any sense once the user
is "connected"), so your particular logic might be more complex, but
it works. It also keeps it in your control rather than dealing with
the external dependency at all.
On Jul 24, 2:50 pm, Dennis Rybalchenko <sauronfromli...@gmail.com>
wrote:
Travis Vachon
Jul 26, 2011, 2:21:08 PM7/26/11
to tumbl...@googlegroups.com
Yeah, we're doing this too - the issue I'm having is that tumblr's
oauth implementation doesn't seem to be respecting the callback URL
Omniauth is passing, and instead always using the default callback I
specified when I set up the application. This means that connecting to
tumblr in my development application results in a call to my
production app. I'm working around this for now by setting up
per-environment applications with different default callbacks.
oauth implementation doesn't seem to be respecting the callback URL
Omniauth is passing, and instead always using the default callback I
specified when I set up the application. This means that connecting to
tumblr in my development application results in a call to my
production app. I'm working around this for now by setting up
per-environment applications with different default callbacks.
t
On Tue, Jul 26, 2011 at 11:17 AM, Travis Vachon <travis...@gmail.com> wrote:
> Yeah, we're doing this too - the issue I'm having is that tumblr's
> oauth implementation doesn't seem to be respecting the callback URL
> Omniauth is passing, and instead always using the default callback I
> specified when I set up the application. This means that connecting to
> tumblr in my development application results in a call to my
> production app. I'm working around this for now by setting up
> per-environment applications with different default callbacks.
>
> t
jesse
Jul 26, 2011, 2:26:57 PM7/26/11
to Tumblr API Discussion
Oh. That's entirely different. In that scenario it sounds like Tumblr
is doing The Right Thing. An OAuth server should never allow a
callback to a different domain for the supplied keys.
On Jul 26, 2:21 pm, Travis Vachon <travis.vac...@gmail.com> wrote:
> Yeah, we're doing this too - the issue I'm having is that tumblr's
> oauth implementation doesn't seem to be respecting the callback URL
> Omniauth is passing, and instead always using the default callback I
> specified when I set up the application. This means that connecting to
> tumblr in my development application results in a call to my
> production app. I'm working around this for now by setting up
> per-environment applications with different default callbacks.
>
> t
>
>
>
>
>
>
>
> On Tue, Jul 26, 2011 at 11:17 AM, Travis Vachon <travis.vac...@gmail.com> wrote:
> > Yeah, we're doing this too - the issue I'm having is that tumblr's
> > oauth implementation doesn't seem to be respecting the callback URL
> > Omniauth is passing, and instead always using the default callback I
> > specified when I set up the application. This means that connecting to
> > tumblr in my development application results in a call to my
> > production app. I'm working around this for now by setting up
> > per-environment applications with different default callbacks.
>
> > t
>
is doing The Right Thing. An OAuth server should never allow a
callback to a different domain for the supplied keys.
On Jul 26, 2:21 pm, Travis Vachon <travis.vac...@gmail.com> wrote:
> Yeah, we're doing this too - the issue I'm having is that tumblr's
> oauth implementation doesn't seem to be respecting the callback URL
> Omniauth is passing, and instead always using the default callback I
> specified when I set up the application. This means that connecting to
> tumblr in my development application results in a call to my
> production app. I'm working around this for now by setting up
> per-environment applications with different default callbacks.
>
> t
>
>
>
>
>
>
>
> On Tue, Jul 26, 2011 at 11:17 AM, Travis Vachon <travis.vac...@gmail.com> wrote:
> > Yeah, we're doing this too - the issue I'm having is that tumblr's
> > oauth implementation doesn't seem to be respecting the callback URL
> > Omniauth is passing, and instead always using the default callback I
> > specified when I set up the application. This means that connecting to
> > tumblr in my development application results in a call to my
> > production app. I'm working around this for now by setting up
> > per-environment applications with different default callbacks.
>
> > t
>
Travis Vachon
Jul 26, 2011, 2:42:35 PM7/26/11
to tumbl...@googlegroups.com
Huh. This does seem to work with twitter's oauth implementation - we
have one application set up, and twitter calls back to the correct
per-environment domain. We've set up our development and staging
environments as subdomains of our main domain (eg, local.copious.com),
which perhaps explains why it works there.
have one application set up, and twitter calls back to the correct
per-environment domain. We've set up our development and staging
environments as subdomains of our main domain (eg, local.copious.com),
which perhaps explains why it works there.
jesse
Jul 26, 2011, 2:55:28 PM7/26/11
to Tumblr API Discussion
That's interesting about Twitter. I don't recall that working in the
past, but I may have just never tried it.
Subdomains working... I have mixed feelings, I guess it makes sense.
Great for devs, for sure.
past, but I may have just never tried it.
Subdomains working... I have mixed feelings, I guess it makes sense.
Great for devs, for sure.
Jamie Wilkinson
Aug 4, 2012, 1:45:18 PM8/4/12
to tumbl...@googlegroups.com
Is this still the expected behavior, that the Tumblr API completely ignores the passed callback URL in favor of the application's registered callback_url?
We've been forced to register redundant applications so different hostnames can work: development, staging, production, so on and so forth.
This has been repeatedly filed as a bug against my omniauth-tumblr library (an authentication library for Ruby and Rails applications) since almost every other API respects this parameter:
Thanks,
-jamie
Alex
Oct 24, 2012, 5:26:51 AM10/24/12
to tumbl...@googlegroups.com
Bump to this - I am using the callback to perform app switching on iOS, but the URL will need be different if I use Android or another platform. The API seems to ignore oauth_callback and revert to the default callback as reported by Jamie.
John Bunting
Oct 24, 2012, 9:32:04 AM10/24/12
to tumbl...@googlegroups.com
Most certainly should not be ignoring the callback.
Can you drop some examples of urls that you are sending?
--
John Bunting
John Bunting
Simplicity is prerequisite for reliability
--Edsger W. Dijkstra
--Edsger W. Dijkstra
Paul
Jan 22, 2013, 10:18:11 PM1/22/13
to tumbl...@googlegroups.com
I found this on Ruby, but perhaps it will help you with iOS -- the oauth_callback is not specified in the get_request_token call as it is with Twitter, it is instead added to the end of the authorize_url. I put it all here: http://stackoverflow.com/questions/7786644/tumblr-oauth-callback-url/14471569#14471569
Hope it helps!
--Paul
Stephen Collins
Nov 20, 2013, 11:59:13 AM11/20/13
to tumbl...@googlegroups.com
So I've been having this problem as well, but with a slight twist:
When you click "Deny" on the "Allow this app to use your account" page, it honors the "oauth_callback" URL, but when I click allow it does not.
John Bunting
Nov 20, 2013, 12:11:39 PM11/20/13
to tumbl...@googlegroups.com
That's really really weird. What is your callback url?
On Wed, Nov 20, 2013 at 11:59 AM, Stephen Collins <wtf...@gmail.com> wrote:
So I've been having this problem as well, but with a slight twist:When you click "Deny" on the "Allow this app to use your account" page, it honors the "oauth_callback" URL, but when I click allow it does not.
--
You received this message because you are subscribed to the Google Groups "Tumblr API Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tumblr-api+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Stephen Collins
Nov 20, 2013, 12:24:54 PM11/20/13
to tumbl...@googlegroups.com
It doesn't matter what I set it to. At the moment it's set to just "tumblr.com," but I've tried various others, even "google.com," which all work fine when I click "Deny," but not when I click "Allow."
John Bunting
Nov 20, 2013, 12:29:37 PM11/20/13
to tumbl...@googlegroups.com
Weird. I just registered a new application with a callback of my choosing, used a script to test the three legged oauth (which is written in python) and was redirected just fine after I clicked approve.
Email me me off list the name of your application or consumer key and I'll check out what is going on with your app. johnb @ tumblr.com
Reply all
Reply to author
Forward
0 new messages