Bug with blank oauth_token

166 views
Skip to first unread message

Freddy Carl

unread,
Jan 29, 2009, 6:22:23 PM1/29/09
to oauth...@googlegroups.com, mil...@strands.com
Hi everyone,

Today, we tried to update the oauth rruby gem from 0.2.7 to 0.3.1 and
we ran into a bit of a bug. We noticed that if you try to do a
consumer request with a blank token, the token parameter gets
dropped out of the request. According to section 7 of the OAuth spec
(http://oauth.net/core/1.0/#anchor13), requests to protected resources
always have to contain certain parameters (even if they're blank).

We think we traced where the oauth_param is being dropped out. It
appears to be the oauth_parameters method in helper.db
(http://github.com/pelle/oauth/blob/ce9caa2a7ffd03a35023b0dc5bf0b1777fa4ac62/lib/oauth/client/helper.rb
lines 33-42). If a value is blank in here, it's rejected.

Of course, we're not that familiar with the code so it could be
happening somewhere else, but hopefully this gives you guys a head up.

Thanks, and keep up the good work!
Fredric Carl

Seth Fitzsimmons

unread,
Jan 30, 2009, 5:30:47 PM1/30/09
to oauth-ruby, miller
Hi Fredric.

This was intentional (and I'll take responsibility) and was changed
after a fair amount of discussion and pondering. I'll attempt to
summarize the reasons:

Yahoo! and Netflix use 2-legged OAuth (which results in an empty
'oauth_token' parameter). In their current impl (I believe this is
changing), they treat empty parameters as non-existent (this is the
part that violates the spec; empty parameters must be included when
normalizing parameters).

Providers must treat empty parameters correctly (as present, but
blank), but that Consumers can make things simpler by making requests
with querystrings that are more straightforward to normalize. I
realize that this results in "required" parameters being missing (as
opposed to being blank), but the consensus is that 2-legged OAuth is
not sufficiently specified and that libraries should strive for
compatibility with existing implementations over strict compliance.

My guess is that 2-legged OAuth is going to be better specified now
that OAuth is going to the IETF, which should resolve the ambiguities
about required parameters.

What sort of problems is this change causing for you?

seth

2009/1/29 Freddy Carl <carl...@gmail.com>:

Yossie Silverman

unread,
Aug 25, 2013, 5:25:21 PM8/25/13
to oauth...@googlegroups.com, miller
I am trying to write a utility to allow DevOps to control a rest_api+oauth instrumented environment.  Initially I wrote an entire oauth (2-legged only) implementation in bash - it works fine, but I want something that works on windows too.  So I looked to ruby.  The oauth gem is nice, simple, and can't seem to handle a blank oauth_token - it simply doesn't include it in the Authorization header which reliably returns 400 (unauthorized) from the service in question.  It is possible the service is incorrectly handling oauth - but I can't control it.

So, the question is, how do I talk the oauth gem into including a blank oauth_token (and oauth_token_secret) into the header?

Thanks - Yossie
Reply all
Reply to author
Forward
0 new messages