Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
correct oauth_signature encoding behavior
24 views
Skip to first unread message
Adam Greene
Feb 25, 2009, 3:18:41 AM2/25/09
to OAuth Ruby
hey folks,
I'm using oauth, in this case, in a 2-legged scenario. Par of my app
calls the rails controller, and the url looks something like this:
http://api.localhost.com/team/mike/data?page=2&oauth_nonce=L7IJqrJ5TEhUOsZK6WR2aes1BnXOYp6EygEmXXBJ3c&oauth_signature_method=HMAC-SHA1&oauth_token=rrPOjFwbqEd49J3LLQ0CPQ&oauth_timestamp=1235548972&oauth_consumer_key=vANHUaS01QLgBkbFZYllw&oauth_version=1.0&oauth_signature=wKdmijzyTL%252BQsVUnxfBh%252BsmLmKA%253D
notice the oauth_signature is wKdmijzyTL%252BQsVUnxfBh%252BsmLmKA%253D
when it comes into rails, the log shows wKdmijzyTL%252BQsVUnxfBh
%252BsmLmKA%253D as the signature... this leads to a mismatch when it
gets to OAuth::Signature::Base#verify because internally it is
unescaped but it is comparing it against the escaped version.
wKdmijzyTL+QsVUnxfBh+smLmKA= == wKdmijzyTL%252BQsVUnxfBh%252BsmLmKA
%253D fails
I monkey patched this at OAuth::RequestProxy::Base#signature to wrap a
CGI.unescape... but this seems wrong to me! isn't rails supposed to
unescape the parameter hash? And if not, how come others haven't run
into this before?
I'm using the Oauth 0.3.1 library against rails 2.1.2
thanks in adv.
Adam
I'm using oauth, in this case, in a 2-legged scenario. Par of my app
calls the rails controller, and the url looks something like this:
http://api.localhost.com/team/mike/data?page=2&oauth_nonce=L7IJqrJ5TEhUOsZK6WR2aes1BnXOYp6EygEmXXBJ3c&oauth_signature_method=HMAC-SHA1&oauth_token=rrPOjFwbqEd49J3LLQ0CPQ&oauth_timestamp=1235548972&oauth_consumer_key=vANHUaS01QLgBkbFZYllw&oauth_version=1.0&oauth_signature=wKdmijzyTL%252BQsVUnxfBh%252BsmLmKA%253D
notice the oauth_signature is wKdmijzyTL%252BQsVUnxfBh%252BsmLmKA%253D
when it comes into rails, the log shows wKdmijzyTL%252BQsVUnxfBh
%252BsmLmKA%253D as the signature... this leads to a mismatch when it
gets to OAuth::Signature::Base#verify because internally it is
unescaped but it is comparing it against the escaped version.
wKdmijzyTL+QsVUnxfBh+smLmKA= == wKdmijzyTL%252BQsVUnxfBh%252BsmLmKA
%253D fails
I monkey patched this at OAuth::RequestProxy::Base#signature to wrap a
CGI.unescape... but this seems wrong to me! isn't rails supposed to
unescape the parameter hash? And if not, how come others haven't run
into this before?
I'm using the Oauth 0.3.1 library against rails 2.1.2
thanks in adv.
Adam
Adam Greene
Feb 25, 2009, 4:10:31 PM2/25/09
to OAuth Ruby
I guess I should add that I'm using the same library to create the
signed url and that the same error occurs whether it is coming in via
the header or as a query string.
thanks,
Adam
On Feb 25, 12:18 am, Adam Greene <adam.gre...@gmail.com> wrote:
> hey folks,
>
> I'm using oauth, in this case, in a 2-legged scenario. Par of my app
> calls the rails controller, and the url looks something like this:
>
> http://api.localhost.com/team/mike/data?page=2&oauth_nonce=L7IJqrJ5TE...
signed url and that the same error occurs whether it is coming in via
the header or as a query string.
thanks,
Adam
On Feb 25, 12:18 am, Adam Greene <adam.gre...@gmail.com> wrote:
> hey folks,
>
> I'm using oauth, in this case, in a 2-legged scenario. Par of my app
> calls the rails controller, and the url looks something like this:
>
Seth Fitzsimmons
Feb 25, 2009, 4:24:03 PM2/25/09
to oauth...@googlegroups.com
I think I bumped into this problem (in the Net::HttpClient) a couple
weeks ago and fixed it in 0.3.1.x. Can you try installing
mojodna-oauth and see if it solves the problem?
thanks.
seth
weeks ago and fixed it in 0.3.1.x. Can you try installing
mojodna-oauth and see if it solves the problem?
thanks.
seth
n.matake
Feb 25, 2009, 8:01:07 PM2/25/09
to oauth...@googlegroups.com
OAuth::RequestProxy::ActionControllerRequest#parameters_for_signature has a encoding bug.
Service Providers using ruby-oauth cannot support "=" and "&" in consumers' parameters in POST request.
I got a bug report about it from our developer community, and I did same thing with Seth in our API.
Signature encoding in consumer side is OK.
Reply all
Reply to author
Forward
0 new messages