Authentication Web Service.NET framework 3.5
17 views
Skip to first unread message
Akash
Sep 13, 2008, 2:38:40 PM9/13/08
to Orkut Developer Forum
Hi,
I have written an orkut application that is making a web service
call. The web service is using ASP .NET 3.5. The application was
working fine without any issue however when I added following in my
web service call
params[gadgets.io.RequestParameters.AUTHORIZATION] =
gadgets.io.AuthorizationType.SIGNED;
I started getting following response.
<HTML>
<HEAD>
<TITLE>invalid parameter name <?xml version</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<H1>invalid parameter name <?xml version</H1>
<H2>Error 400</H2>
</BODY>
</HTML>
Any clue why I am facing this problem.
BTW, I am also looking for some sample code where an authenticated Web
Service call is made to a web service running on .NET framework 3.5.
Thanks,
-Akash
Following is detailed code.
var map = { "Content-Type" : "application/soap+xml; charset=utf-8"};
var params = {};
soapRequest =
"<?xml version=\"1.0\" encoding=\"utf-8\"?>" +
"<soap12:Envelope " +
"xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" " +
"xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" " +
"xmlns:soap12=\"http://www.w3.org/2003/05/soap-envelope\">" +
"<soap12:Body>" +
"<" + method + " xmlns=\"" + ns + "\">" +
parameters.toXml() +
"</" + method + "></soap12:Body></soap12:Envelope>";
params[gadgets.io.RequestParameters.METHOD] =
gadgets.io.MethodType.POST;
params[gadgets.io.RequestParameters.CONTENT_TYPE] =
gadgets.io.ContentType.DOM;
params[gadgets.io.RequestParameters.HEADERS] = map;
params[gadgets.io.RequestParameters.AUTHORIZATION] =
gadgets.io.AuthorizationType.SIGNED;
params[gadgets.io.RequestParameters.POST_DATA] = soapRequest;
var req;
gadgets.io.makeRequest(url, function(req){
SOAPClient._onSendSoapRequest(method, async, callback, context,
wsdl, req);
}, params);
[WebMethod]
public bool isAppInstalledByUser(string id, string siteTye)
{
return false;
}
I have written an orkut application that is making a web service
call. The web service is using ASP .NET 3.5. The application was
working fine without any issue however when I added following in my
web service call
params[gadgets.io.RequestParameters.AUTHORIZATION] =
gadgets.io.AuthorizationType.SIGNED;
I started getting following response.
<HTML>
<HEAD>
<TITLE>invalid parameter name <?xml version</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<H1>invalid parameter name <?xml version</H1>
<H2>Error 400</H2>
</BODY>
</HTML>
Any clue why I am facing this problem.
BTW, I am also looking for some sample code where an authenticated Web
Service call is made to a web service running on .NET framework 3.5.
Thanks,
-Akash
Following is detailed code.
var map = { "Content-Type" : "application/soap+xml; charset=utf-8"};
var params = {};
soapRequest =
"<?xml version=\"1.0\" encoding=\"utf-8\"?>" +
"<soap12:Envelope " +
"xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" " +
"xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" " +
"xmlns:soap12=\"http://www.w3.org/2003/05/soap-envelope\">" +
"<soap12:Body>" +
"<" + method + " xmlns=\"" + ns + "\">" +
parameters.toXml() +
"</" + method + "></soap12:Body></soap12:Envelope>";
params[gadgets.io.RequestParameters.METHOD] =
gadgets.io.MethodType.POST;
params[gadgets.io.RequestParameters.CONTENT_TYPE] =
gadgets.io.ContentType.DOM;
params[gadgets.io.RequestParameters.HEADERS] = map;
params[gadgets.io.RequestParameters.AUTHORIZATION] =
gadgets.io.AuthorizationType.SIGNED;
params[gadgets.io.RequestParameters.POST_DATA] = soapRequest;
var req;
gadgets.io.makeRequest(url, function(req){
SOAPClient._onSendSoapRequest(method, async, callback, context,
wsdl, req);
}, params);
[WebMethod]
public bool isAppInstalledByUser(string id, string siteTye)
{
return false;
}
Jason
Sep 15, 2008, 6:06:07 PM9/15/08
to Orkut Developer Forum
Thanks for sharing your code snippet. :) Most of the time, I see
requests for assistance without any code, which obviously makes it
much harder to determine the problem.
As far as your issue, try using gadgets.io.encodeValues(soapRequest)
instead of passing soapRequest directly. See POST Requests in this
wiki article, which uses this convenience function to encode POST
data:
http://code.google.com/p/opensocial-resources/wiki/GadgetsMakeRequest
Unfortunately, I don't have any ASP signature validation code handy,
but hopefully another member of the community has a snippet to share.
If you find one, we'll be more than happy to make it available on the
opensocial-resources wiki.
Cheers!
- Jason
requests for assistance without any code, which obviously makes it
much harder to determine the problem.
As far as your issue, try using gadgets.io.encodeValues(soapRequest)
instead of passing soapRequest directly. See POST Requests in this
wiki article, which uses this convenience function to encode POST
data:
http://code.google.com/p/opensocial-resources/wiki/GadgetsMakeRequest
Unfortunately, I don't have any ASP signature validation code handy,
but hopefully another member of the community has a snippet to share.
If you find one, we'll be more than happy to make it available on the
opensocial-resources wiki.
Cheers!
- Jason
Akash
Sep 20, 2008, 11:55:50 PM9/20/08
to Orkut Developer Forum
Hi Jason,
Thanks for the response. I don't think not encoding the post data
is the issue because things are working with I was not signing the
request:-(. I anyways tried your suggestion. I am still getting same
I am still not able to appreciate the authorization model of orkut.
My current understanding is that when I make a web service call from
an orkut application the web service call first goes to a proxy on
orkut server. The proxy in turn makes a call to application server on
internet on behalf of application. Later response traverse in reverse
direction.
Now how things change with
signing(params[gadgets.io.RequestParameters.AUTHORIZATION] =
gadgets.io.AuthorizationType.SIGNED;) coming into picture. The
question I looking to get answered are following:-
1. Whether web service request is encrypted from browser to proxy
server on orkut.
2. Does the request from orkut server to application server is
encrypted?
3. In security world what exactly the communication between orkut
proxy server and application server is called?
4. What requirements does web server that is running application
server should fulfill? For e.g. I am using IIS7 and .NET framework 3.5
provided by www.discountasp.net. My question is what should be my
requirements for them?
Another related question:-
On application server side how do I ensure that the request I am
getting from an application an user X?
I would love to help the community once I understand the
authentication model?
Thanks,
-Akash
Thanks for the response. I don't think not encoding the post data
is the issue because things are working with I was not signing the
request:-(. I anyways tried your suggestion. I am still getting same
response.
<HTML>
<HEAD>
<TITLE>invalid parameter name <?xml version</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<H1>invalid parameter name <?xml version</H1>
<H2>Error 400</H2>
</BODY>
</HTML>
Jason,
<HTML>
<HEAD>
<TITLE>invalid parameter name <?xml version</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<H1>invalid parameter name <?xml version</H1>
<H2>Error 400</H2>
</BODY>
</HTML>
I am still not able to appreciate the authorization model of orkut.
My current understanding is that when I make a web service call from
an orkut application the web service call first goes to a proxy on
orkut server. The proxy in turn makes a call to application server on
internet on behalf of application. Later response traverse in reverse
direction.
Now how things change with
signing(params[gadgets.io.RequestParameters.AUTHORIZATION] =
gadgets.io.AuthorizationType.SIGNED;) coming into picture. The
question I looking to get answered are following:-
1. Whether web service request is encrypted from browser to proxy
server on orkut.
2. Does the request from orkut server to application server is
encrypted?
3. In security world what exactly the communication between orkut
proxy server and application server is called?
4. What requirements does web server that is running application
server should fulfill? For e.g. I am using IIS7 and .NET framework 3.5
provided by www.discountasp.net. My question is what should be my
requirements for them?
Another related question:-
On application server side how do I ensure that the request I am
getting from an application an user X?
I would love to help the community once I understand the
authentication model?
Thanks,
-Akash
Raman
Sep 22, 2008, 1:34:43 AM9/22/08
to opensoci...@googlegroups.com
Hi Akash
Things work as per the usual public key - private key model.
When you call some web service using makeRequest, the request first goes to orkut server.. the orkut server signs the request using its private key. At your end, you can ensure if the request is from orkut by decrypting the received request with its public key (which is publically available). So, if you are able to decrypt it, that means orkut have sent the request.. otherwise, its an invalid request.
Plus, when you send a signed request from your opensocial app, orkut attaches a 'opensocial_owner_id' and a 'opensocial_viewer_id' (only if viewer has added the app) as get parameters, through which you can confirm who actually is the cureent viewer and the owner of the application.
Raman
Things work as per the usual public key - private key model.
When you call some web service using makeRequest, the request first goes to orkut server.. the orkut server signs the request using its private key. At your end, you can ensure if the request is from orkut by decrypting the received request with its public key (which is publically available). So, if you are able to decrypt it, that means orkut have sent the request.. otherwise, its an invalid request.
Plus, when you send a signed request from your opensocial app, orkut attaches a 'opensocial_owner_id' and a 'opensocial_viewer_id' (only if viewer has added the app) as get parameters, through which you can confirm who actually is the cureent viewer and the owner of the application.
Raman
Akash
Sep 23, 2008, 9:21:48 AM9/23/08
to Orkut Developer Forum
Thanks a lot Raman.
One more clarification I believe the transaction between orkut server
and my application server is not over SSL.
Thanks,
-Akash
On Sep 22, 10:34 am, Raman <ramandhin...@gmail.com> wrote:
> Hi Akash
>
> Things work as per the usual public key - private key model.
> When you call some web service using makeRequest, the request first goes to
> orkut server.. the orkut server signs the request using its private key. At
> your end, you can ensure if the request is from orkut by decrypting the
> received request with its public key (which is publically available). So, if
> you are able to decrypt it, that means orkut have sent the request..
> otherwise, its an invalid request.
>
> Plus, when you send a signed request from your opensocial app, orkut
> attaches a 'opensocial_owner_id' and a 'opensocial_viewer_id' (only if
> viewer has added the app) as get parameters, through which you can confirm
> who actually is the cureent viewer and the owner of the application.
>
> Raman
>
> > provided bywww.discountasp.net. My question is what should be my
> >http://www.w3.org/2001/XMLSchema-instance\<http://www.w3.org/2001/XMLSchema-instance%5C>"
> > " +
> > > > "xmlns:xsd=\"
> >http://www.w3.org/2001/XMLSchema\<http://www.w3.org/2001/XMLSchema%5C>" "
> > +
> > > > "xmlns:soap12=\"
> >http://www.w3.org/2003/05/soap-envelope\<http://www.w3.org/2003/05/soap-envelope%5C>">"
One more clarification I believe the transaction between orkut server
and my application server is not over SSL.
Thanks,
-Akash
On Sep 22, 10:34 am, Raman <ramandhin...@gmail.com> wrote:
> Hi Akash
>
> Things work as per the usual public key - private key model.
> When you call some web service using makeRequest, the request first goes to
> orkut server.. the orkut server signs the request using its private key. At
> your end, you can ensure if the request is from orkut by decrypting the
> received request with its public key (which is publically available). So, if
> you are able to decrypt it, that means orkut have sent the request..
> otherwise, its an invalid request.
>
> Plus, when you send a signed request from your opensocial app, orkut
> attaches a 'opensocial_owner_id' and a 'opensocial_viewer_id' (only if
> viewer has added the app) as get parameters, through which you can confirm
> who actually is the cureent viewer and the owner of the application.
>
> Raman
>
> > " +
> > > > "xmlns:xsd=\"
> >http://www.w3.org/2001/XMLSchema\<http://www.w3.org/2001/XMLSchema%5C>" "
> > +
> > > > "xmlns:soap12=\"
> >http://www.w3.org/2003/05/soap-envelope\<http://www.w3.org/2003/05/soap-envelope%5C>">"
Akash
Sep 23, 2008, 3:02:50 PM9/23/08
to Orkut Developer Forum
Since I dont have debugging capabilities on the hosting site on which
I am planning to host my application, I wrote one simple asp .net that
just reflects the post request that it receives.
public partial class _Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
XmlDocument doc = new XmlDocument();
doc.Load(Request.InputStream);
Response.Write(doc.InnerXml);
}
}
I wanted to compare the difference between signed and unsigned post
request received on the server. My assumption is that signed request
is encrypted form of unsigned request hence for unsigned request, my
response should be same as request however for signed request, my
response should be encrypted form of request. Please confirm whether
my assumption is correct.
Unfortunately dont see any difference between request and response.
Though when I sniffed the post request I signed request has following
parameter extra.
***
authz=signed&st=AFinprRrOo9jbTnGz6GfSLTAFaD31b-
BdtDUoRKmB6fAmal76q1ay6NmliAxmxqei_HU7alG69OMw2caaKLYGuJsXp2CQX9oBA7fQj5dfZQO7iKjBJ6b0I
***
I will appreciate any help in this regard.
Thanks,
-Akash
> > > > > }- Hide quoted text -
>
> - Show quoted text -
I am planning to host my application, I wrote one simple asp .net that
just reflects the post request that it receives.
public partial class _Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
XmlDocument doc = new XmlDocument();
doc.Load(Request.InputStream);
Response.Write(doc.InnerXml);
}
}
I wanted to compare the difference between signed and unsigned post
request received on the server. My assumption is that signed request
is encrypted form of unsigned request hence for unsigned request, my
response should be same as request however for signed request, my
response should be encrypted form of request. Please confirm whether
my assumption is correct.
Unfortunately dont see any difference between request and response.
Though when I sniffed the post request I signed request has following
parameter extra.
***
authz=signed&st=AFinprRrOo9jbTnGz6GfSLTAFaD31b-
BdtDUoRKmB6fAmal76q1ay6NmliAxmxqei_HU7alG69OMw2caaKLYGuJsXp2CQX9oBA7fQj5dfZQO7iKjBJ6b0I
***
I will appreciate any help in this regard.
Thanks,
-Akash
>
> - Show quoted text -
Akash
Sep 24, 2008, 2:51:39 AM9/24/08
to Orkut Developer Forum
Please help.
On Sep 24, 12:02 am, Akash <akashmaheshw...@gmail.com> wrote:
> Since I dont have debugging capabilities on the hosting site on which
> I am planning to host my application, I wrote one simple asp .net that
> just reflects the post request that it receives.
>
> public partial class _Default : System.Web.UI.Page
> {
> protected void Page_Load(object sender, EventArgs e)
> {
>
> XmlDocument doc = new XmlDocument();
> doc.Load(Request.InputStream);
> Response.Write(doc.InnerXml);
> }
>
> }
>
> I wanted to compare the difference between signed and unsigned post
> request received on the server. My assumption is that signed request
> is encrypted form of unsigned request hence for unsigned request, my
> response should be same as request however for signed request, my
> response should be encrypted form of request. Please confirm whether
> my assumption is correct.
>
> Unfortunately dont see any difference between request and response.
> Though when I sniffed the post request I signed request has following
> parameter extra.
> ***
> authz=signed&st=AFinprRrOo9jbTnGz6GfSLTAFaD31b-
> BdtDUoRKmB6fAmal76q1ay6NmliAxmxqei_HU7alG69OMw2caaKLYGuJsXp2CQX9oBA7fQj5dfZQO7iKjBJ6b0I
> > - Show quoted text -- Hide quoted text -
On Sep 24, 12:02 am, Akash <akashmaheshw...@gmail.com> wrote:
> Since I dont have debugging capabilities on the hosting site on which
> I am planning to host my application, I wrote one simple asp .net that
> just reflects the post request that it receives.
>
> public partial class _Default : System.Web.UI.Page
> {
> protected void Page_Load(object sender, EventArgs e)
> {
>
> XmlDocument doc = new XmlDocument();
> doc.Load(Request.InputStream);
> Response.Write(doc.InnerXml);
> }
>
> }
>
> I wanted to compare the difference between signed and unsigned post
> request received on the server. My assumption is that signed request
> is encrypted form of unsigned request hence for unsigned request, my
> response should be same as request however for signed request, my
> response should be encrypted form of request. Please confirm whether
> my assumption is correct.
>
> Unfortunately dont see any difference between request and response.
> Though when I sniffed the post request I signed request has following
> parameter extra.
> ***
> authz=signed&st=AFinprRrOo9jbTnGz6GfSLTAFaD31b-
> ***
>
> I will appreciate any help in this regard.
>
> Thanks,
> -Akash
>
>
> I will appreciate any help in this regard.
>
> Thanks,
> -Akash
>
> On Sep 23, 6:21 pm,Akash<akashmaheshw...@gmail.com> wrote:
>
>
>
> > Thanks a lot Raman.
>
> > One more clarification I believe the transaction between orkut server
> > and my application server is not over SSL.
>
> > Thanks,
> > -Akash
>
> > On Sep 22, 10:34 am, Raman <ramandhin...@gmail.com> wrote:
>
> > > HiAkash
>
> > > Things work as per the usual public key - private key model.
> > > When you call some web service using makeRequest, the request first goes to
> > > orkut server.. the orkut server signs the request using its private key. At
> > > your end, you can ensure if the request is from orkut by decrypting the
> > > received request with its public key (which is publically available). So, if
> > > you are able to decrypt it, that means orkut have sent the request..
> > > otherwise, its an invalid request.
>
> > > Plus, when you send a signed request from your opensocial app, orkut
> > > attaches a 'opensocial_owner_id' and a 'opensocial_viewer_id' (only if
> > > viewer has added the app) as get parameters, through which you can confirm
> > > who actually is the cureent viewer and the owner of the application.
>
> > > Raman
>
>
>
>
> > Thanks a lot Raman.
>
> > One more clarification I believe the transaction between orkut server
> > and my application server is not over SSL.
>
> > Thanks,
> > -Akash
>
> > On Sep 22, 10:34 am, Raman <ramandhin...@gmail.com> wrote:
>
> > > HiAkash
>
> > > Things work as per the usual public key - private key model.
> > > When you call some web service using makeRequest, the request first goes to
> > > orkut server.. the orkut server signs the request using its private key. At
> > > your end, you can ensure if the request is from orkut by decrypting the
> > > received request with its public key (which is publically available). So, if
> > > you are able to decrypt it, that means orkut have sent the request..
> > > otherwise, its an invalid request.
>
> > > Plus, when you send a signed request from your opensocial app, orkut
> > > attaches a 'opensocial_owner_id' and a 'opensocial_viewer_id' (only if
> > > viewer has added the app) as get parameters, through which you can confirm
> > > who actually is the cureent viewer and the owner of the application.
>
> > > Raman
>
Raman
Sep 24, 2008, 6:10:27 AM9/24/08
to opensoci...@googlegroups.com
Hi Akash
No, the communication is not over SSL (as far as i know).
Plus, orkut add a lot of GET parameters such as opensocial_owner_id, oauth_nonce, etc..
Just to make sure you ain't doing anything wrong..
Use this code on client
/**
* Perform remote server requests. The requests is signed by the container.
* @function
* @param {String} url
* URL containg the get and post parameters to which the request is to be made.
* @param {Function} [callback]
* Function to call back when a response is received by the server.
* @example
* call("http://www.sampleserver.sample?key1=value1&key2=key2=value2"); // key1 and key2 are passed as GET parameters.
* call("http://www.sampleserver.sample|key1=value1&key2=key2=value2"); // key1 and key2 are passed as POST parameters.
* call("http://www.sampleserver.sample?key1=value1|key2=key2=value2"); // key1 is passed as a GET parameter and key2 is passed as a post parameter.
*/
function call (url, callback)
{
var params = {};
params[gadgets.io.RequestParameters.AUTHORIZATION] = gadgets.io.AuthorizationType.SIGNED;
// Request should be signed by the container.
// URL contains post parameters, post paramters are separated by a '|' (without quotes) from the main URL.
if (url.indexOf("|") -1)
{
// tell container its a POST request.
params[gadgets.io.RequestParameters.METHOD] = gadgets.io.MethodType.POST;
var urls = url.split("|");
url = urls[0];
params[gadgets.io.RequestParameters.POST_DATA] = urls[1]; // POST Data
}
gadgets.io.makeRequest(url, callback, params);
}
This is a modified versionof the function that I have been using in the production, stripped of all the user built libraries that i have been using. If there's an error with this thing, let me know, I will resolve it.
And use the following code on the server to get all the GET and POST parameters..
using System;
using System.Data;
using System.Configuration;
using System.Collections;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
using System.Collections.Specialized;
public partial class Sample : System.Web.UI.Page
No, the communication is not over SSL (as far as i know).
Plus, orkut add a lot of GET parameters such as opensocial_owner_id, oauth_nonce, etc..
Just to make sure you ain't doing anything wrong..
Use this code on client
/**
* Perform remote server requests. The requests is signed by the container.
* @function
* @param {String} url
* URL containg the get and post parameters to which the request is to be made.
* @param {Function} [callback]
* Function to call back when a response is received by the server.
* @example
* call("http://www.sampleserver.sample?key1=value1&key2=key2=value2"); // key1 and key2 are passed as GET parameters.
* call("http://www.sampleserver.sample|key1=value1&key2=key2=value2"); // key1 and key2 are passed as POST parameters.
* call("http://www.sampleserver.sample?key1=value1|key2=key2=value2"); // key1 is passed as a GET parameter and key2 is passed as a post parameter.
*/
function call (url, callback)
{
var params = {};
params[gadgets.io.RequestParameters.AUTHORIZATION] = gadgets.io.AuthorizationType.SIGNED;
// Request should be signed by the container.
// URL contains post parameters, post paramters are separated by a '|' (without quotes) from the main URL.
if (url.indexOf("|") -1)
{
// tell container its a POST request.
params[gadgets.io.RequestParameters.METHOD] = gadgets.io.MethodType.POST;
var urls = url.split("|");
url = urls[0];
params[gadgets.io.RequestParameters.POST_DATA] = urls[1]; // POST Data
}
gadgets.io.makeRequest(url, callback, params);
}
This is a modified versionof the function that I have been using in the production, stripped of all the user built libraries that i have been using. If there's an error with this thing, let me know, I will resolve it.
And use the following code on the server to get all the GET and POST parameters..
using System;
using System.Data;
using System.Configuration;
using System.Collections;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
using System.Collections.Specialized;
public partial class Sample : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
NameValueCollection gets = Request.QueryString;
for (int i = 0; i < gets.Count; i++)
{ Response.Write(gets.GetKey(i) + ": " + gets.GetValues(i)[0] + "<br />"); }
Response.Write("</br>");
NameValueCollection posts = Request.Form;
for (int i = 0; i < posts.Count; i++)
{ Response.Write(posts.GetKey(i) + ": " + Uri.EscapeUriString(posts.GetValues(i)[0]) + "<br />"); }
Response.End();
}
}
All the best.
Raman
for (int i = 0; i < gets.Count; i++)
{ Response.Write(gets.GetKey(i) + ": " + gets.GetValues(i)[0] + "<br />"); }
Response.Write("</br>");
NameValueCollection posts = Request.Form;
for (int i = 0; i < posts.Count; i++)
{ Response.Write(posts.GetKey(i) + ": " + Uri.EscapeUriString(posts.GetValues(i)[0]) + "<br />"); }
Response.End();
}
}
All the best.
Raman
Jason
Sep 25, 2008, 5:11:01 PM9/25/08
to Orkut Developer Forum
Yes, Raman's right again. Requests are not encrypted; the only
difference between unsigned and signed requests are the extra
parameters that are passed -- signed requests have a signature
attached as well as extra arguments identifying the container and
owner ID plus a few others.
- Jason
difference between unsigned and signed requests are the extra
parameters that are passed -- signed requests have a signature
attached as well as extra arguments identifying the container and
owner ID plus a few others.
- Jason
Akash
Sep 26, 2008, 2:05:29 PM9/26/08
to Orkut Developer Forum
Thanks Raman & Jason. Now I have much better clarity on how things
work.
I tried the options you suggested and able to make lot of progress.
Since I am making a web service call, I am wondering how to Generate
Signature Base. Following is the JS code I am using to make the web
service call.
var map = { "Content-Type" : "application/soap+xml;
charset=utf-8"};
var params = {};
soapRequest =
"<?xml version=\"1.0\" encoding=\"utf-8\"?>" +
"<soap12:Envelope " +
"xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" " +
"xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" " +
"xmlns:soap12=\"http://www.w3.org/2003/05/soap-envelope\">" +
iApp/Service.asmx", function(req){
generate signature base
1. The HTTP request method used to send the request. Value MUST be
uppercase, for example: HEAD, GET , POST, etc.
2. The request URL from Section 9.1.2 (Construct Request URL).
3. The normalized request parameters string from Section 9.1.1
(Normalize Request Parameters).
#1 is POST
#2 I think request URL should be "http://www.MyApplicationServer.com/
iApp/Service.asmx". However the request is coming from orkut hence not
sure. Please confirm.
#3 According to the OAuth Spec
****
The request parameters are collected, sorted and concatenated into a
normalized string:
1. Parameters in the OAuth HTTP Authorization header (Authorization
Header) excluding the realm parameter.
2. Parameters in the HTTP POST request body (with a content-type of
application/x-www-form-urlencoded).
3. HTTP GET parameters added to the URLs in the query part (as defined
by [RFC3986] (Berners-Lee, T., “Uniform Resource Identifiers (URI):
Generic Syntax,” .) section 3).
The oauth_signature parameter MUST be excluded.
****
#1 Parameters in the OAuth HTTP Authorization header (Authorization
Header) excluding the realm parameter.
Within my web service the OAuth HTTP Authorization header are
populated in this.Context.Request.Params datastructure
oauth_consumer_key orkut.com
oauth_signature_method RSA-SHA1
oauth_timestamp 1222270545
oauth_nonce 1222270545579299000
oauth_signature KJy1Dz
+tMNDhQjS0mtc2SrmG7X51evlmJiFtT1ztpX0pBVpT6i27Hr6MMf1svHqjLFjtxNFg+P2t/
Mjm
+bXS2AUdfsKlelTfTlQEEzyX973Kdk74/5UXoZZmItzYfCmKQuQRl3fWYch0226eujYGrh3lu471e4rDury8gIll5v8=
this.Context.Request.Params datastructure has following parameters
pertaining to opensocial:-
opensocial_owner_id 04260157720044639260
opensocial_viewer_id 04260157720044639260
opensocial_app_id 12536334869062616675
opensocial_app_url http://www.MyApplicationServer.com/iApp/KM.xml
xoauth_signature_publickey pub.
1199819524.-1556113204990931254.cer
I am wondering whether these parameter are also required for
generating base signature? this.Context.Request.Params also contains
many other parameters (listed in the end of this email) but I think
they should not be used for generating base signature. Please correct
me if I am wrong.
#2. Parameters in the HTTP POST request body (with a content-type of
application/x-www-form-urlencoded).
Though http method used for request is POST but the content type I am
using is "application/soap+xml;". Therefore the soap request that is
part of post request should not user for generating base. Please
correct me if I am wrong.
3. HTTP GET parameters added to the URLs in the query part (as defined
by [RFC3986] (Berners-Lee, T., “Uniform Resource Identifiers (URI):
Generic Syntax,” .) section 3).
Since this is a post request I should not bother about it?
Since I am very close to solution I will highly appreciate any help in
this regard.
Thanks,
-Akash
*****
opensocial_owner_id 04260157720044639260
opensocial_viewer_id 04260157720044639260
opensocial_app_id 12536334869062616675
opensocial_app_url http://www.MyApplicationServer.com/iApp/KM.xml
xoauth_signature_publickey pub.
1199819524.-1556113204990931254.cer
oauth_consumer_key orkut.com
oauth_signature_method RSA-SHA1
oauth_timestamp 1222270545
oauth_nonce 1222270545579299000
oauth_signature KJy1Dz
+tMNDhQjS0mtc2SrmG7X51evlmJiFtT1ztpX0pBVpT6i27Hr6MMf1svHqjLFjtxNFg+P2t/
Mjm
+bXS2AUdfsKlelTfTlQEEzyX973Kdk74/5UXoZZmItzYfCmKQuQRl3fWYch0226eujYGrh3lu471e4rDury8gIll5v8=
ALL_HTTP HTTP_CACHE_CONTROL:private
HTTP_CONTENT_LENGTH:367
HTTP_CONTENT_TYPE:application/soap+xml; charset=utf-8
HTTP_ACCEPT_ENCODING:gzip
HTTP_HOST:www.MyApplicationServer.com
HTTP_USER_AGENT:Google OpenSocial agent (http://www.google.com/
feedfetcher.html)
ALL_RAW Cache-Control: private
Content-Length: 367
Content-Type: application/soap+xml; charset=utf-8
Accept-Encoding: gzip
Host: www.MyApplicationServer.com
User-Agent: Google OpenSocial agent (http://www.google.com/
feedfetcher.html)
APPL_MD_PATH /LM/W3SVC/491520/ROOT/iApp
APPL_PHYSICAL_PATH E:\web\MyApplicationServer\htdocs\iApp\
AUTH_TYPE
AUTH_USER
AUTH_PASSWORD
LOGON_USER
REMOTE_USER
CERT_COOKIE
CERT_FLAGS
CERT_ISSUER
CERT_KEYSIZE
CERT_SECRETKEYSIZE
CERT_SERIALNUMBER
CERT_SERVER_ISSUER
CERT_SERVER_SUBJECT
CERT_SUBJECT
CONTENT_LENGTH 367
CONTENT_TYPE application/soap+xml; charset=utf-8
GATEWAY_INTERFACE CGI/1.1
HTTPS off
HTTPS_KEYSIZE
HTTPS_SECRETKEYSIZE
HTTPS_SERVER_ISSUER
HTTPS_SERVER_SUBJECT
INSTANCE_ID 491520
INSTANCE_META_PATH /LM/W3SVC/491520
LOCAL_ADDR 64.22.138.6
PATH_INFO /iApp/Service.asmx
PATH_TRANSLATED E:\web\MyApplicationServer\htdocs\iApp
\Service.asmx
QUERY_STRING
opensocial_owner_id=04260157720044639260&opensocial_viewer_id=04260157720044639260&opensocial_app_id=12536334869062616675&opensocial_app_url=http
%3A%2F%2Fwww.MyApplicationServer.com%2FiApp
%2FMyApplicationServer.xml&xoauth_signature_publickey=pub.
1199819524.-1556113204990931254.cer&oauth_consumer_key=orkut.com&oauth_signature_method=RSA-
SHA1&oauth_timestamp=1222446709&oauth_nonce=1222446709021876000&oauth_signature=LTpKRq12Oai5r
%2Fa4jlXDcjS%2Ff6rI1LdGfFHgmIHZ
%2B8MjKdBWcOBZkCIv0IT8TArLj3AefWGWIRJfQobfdLpXZUQXbdDOJI5%2BrjXd2jPLJPKZ5gkdzpwdC7O38GJymgbWe8k1g9l98SE08do37bwIjNYu
%2BS9n%2BtmtmHSfCC3L80g%3D
REMOTE_ADDR 66.249.85.131
REMOTE_HOST 66.249.85.131
REMOTE_PORT 58435
REQUEST_METHOD POST
SCRIPT_NAME /iApp/Service.asmx
SERVER_NAME www.MyApplicationServer.com
SERVER_PORT 80
SERVER_PORT_SECURE 0
SERVER_PROTOCOL HTTP/1.1
SERVER_SOFTWARE Microsoft-IIS/7.0
URL /iApp/Service.asmx
HTTP_CACHE_CONTROL private
HTTP_CONTENT_LENGTH 367
HTTP_CONTENT_TYPE application/soap+xml; charset=utf-8
HTTP_ACCEPT_ENCODING gzip
HTTP_HOST www.MyApplicationServer.com
HTTP_USER_AGENT Google OpenSocial agent (http://www.google.com/
feedfetcher.html)
*****
> > Raman- Hide quoted text -
work.
I tried the options you suggested and able to make lot of progress.
Since I am making a web service call, I am wondering how to Generate
Signature Base. Following is the JS code I am using to make the web
service call.
var map = { "Content-Type" : "application/soap+xml;
charset=utf-8"};
var params = {};
soapRequest =
"<?xml version=\"1.0\" encoding=\"utf-8\"?>" +
"<soap12:Envelope " +
"xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" " +
"xmlns:soap12=\"http://www.w3.org/2003/05/soap-envelope\">" +
"<soap12:Body>" +
"<" + method + " xmlns=\"" + ns + "\">" +
parameters.toXml() +
"</" + method + "></soap12:Body></soap12:Envelope>";
params[gadgets.io.RequestParameters.METHOD] =
gadgets.io.MethodType.POST;
params[gadgets.io.RequestParameters.CONTENT_TYPE] =
gadgets.io.ContentType.DOM;
params[gadgets.io.RequestParameters.HEADERS] = map;
params[gadgets.io.RequestParameters.AUTHORIZATION] =
gadgets.io.AuthorizationType.SIGNED;
params[gadgets.io.RequestParameters.POST_DATA] = soapRequest;
var req;
gadgets.io.makeRequest("http://www.MyApplicationServer.com/
"<" + method + " xmlns=\"" + ns + "\">" +
parameters.toXml() +
"</" + method + "></soap12:Body></soap12:Envelope>";
params[gadgets.io.RequestParameters.METHOD] =
gadgets.io.MethodType.POST;
params[gadgets.io.RequestParameters.CONTENT_TYPE] =
gadgets.io.ContentType.DOM;
params[gadgets.io.RequestParameters.HEADERS] = map;
params[gadgets.io.RequestParameters.AUTHORIZATION] =
gadgets.io.AuthorizationType.SIGNED;
params[gadgets.io.RequestParameters.POST_DATA] = soapRequest;
var req;
iApp/Service.asmx", function(req){
SOAPClient._onSendSoapRequest(method, async, callback, context,
wsdl, req);
}, params);
Now coming to the application server side. For validation I have to
wsdl, req);
}, params);
generate signature base
1. The HTTP request method used to send the request. Value MUST be
uppercase, for example: HEAD, GET , POST, etc.
2. The request URL from Section 9.1.2 (Construct Request URL).
3. The normalized request parameters string from Section 9.1.1
(Normalize Request Parameters).
#1 is POST
#2 I think request URL should be "http://www.MyApplicationServer.com/
iApp/Service.asmx". However the request is coming from orkut hence not
sure. Please confirm.
#3 According to the OAuth Spec
****
The request parameters are collected, sorted and concatenated into a
normalized string:
1. Parameters in the OAuth HTTP Authorization header (Authorization
Header) excluding the realm parameter.
2. Parameters in the HTTP POST request body (with a content-type of
application/x-www-form-urlencoded).
3. HTTP GET parameters added to the URLs in the query part (as defined
by [RFC3986] (Berners-Lee, T., “Uniform Resource Identifiers (URI):
Generic Syntax,” .) section 3).
The oauth_signature parameter MUST be excluded.
****
#1 Parameters in the OAuth HTTP Authorization header (Authorization
Header) excluding the realm parameter.
Within my web service the OAuth HTTP Authorization header are
populated in this.Context.Request.Params datastructure
oauth_consumer_key orkut.com
oauth_signature_method RSA-SHA1
oauth_timestamp 1222270545
oauth_nonce 1222270545579299000
oauth_signature KJy1Dz
+tMNDhQjS0mtc2SrmG7X51evlmJiFtT1ztpX0pBVpT6i27Hr6MMf1svHqjLFjtxNFg+P2t/
Mjm
+bXS2AUdfsKlelTfTlQEEzyX973Kdk74/5UXoZZmItzYfCmKQuQRl3fWYch0226eujYGrh3lu471e4rDury8gIll5v8=
this.Context.Request.Params datastructure has following parameters
pertaining to opensocial:-
opensocial_owner_id 04260157720044639260
opensocial_viewer_id 04260157720044639260
opensocial_app_id 12536334869062616675
opensocial_app_url http://www.MyApplicationServer.com/iApp/KM.xml
xoauth_signature_publickey pub.
1199819524.-1556113204990931254.cer
I am wondering whether these parameter are also required for
generating base signature? this.Context.Request.Params also contains
many other parameters (listed in the end of this email) but I think
they should not be used for generating base signature. Please correct
me if I am wrong.
#2. Parameters in the HTTP POST request body (with a content-type of
application/x-www-form-urlencoded).
Though http method used for request is POST but the content type I am
using is "application/soap+xml;". Therefore the soap request that is
part of post request should not user for generating base. Please
correct me if I am wrong.
3. HTTP GET parameters added to the URLs in the query part (as defined
by [RFC3986] (Berners-Lee, T., “Uniform Resource Identifiers (URI):
Generic Syntax,” .) section 3).
Since this is a post request I should not bother about it?
Since I am very close to solution I will highly appreciate any help in
this regard.
Thanks,
-Akash
*****
opensocial_owner_id 04260157720044639260
opensocial_viewer_id 04260157720044639260
opensocial_app_id 12536334869062616675
opensocial_app_url http://www.MyApplicationServer.com/iApp/KM.xml
xoauth_signature_publickey pub.
1199819524.-1556113204990931254.cer
oauth_consumer_key orkut.com
oauth_signature_method RSA-SHA1
oauth_timestamp 1222270545
oauth_nonce 1222270545579299000
oauth_signature KJy1Dz
+tMNDhQjS0mtc2SrmG7X51evlmJiFtT1ztpX0pBVpT6i27Hr6MMf1svHqjLFjtxNFg+P2t/
Mjm
+bXS2AUdfsKlelTfTlQEEzyX973Kdk74/5UXoZZmItzYfCmKQuQRl3fWYch0226eujYGrh3lu471e4rDury8gIll5v8=
ALL_HTTP HTTP_CACHE_CONTROL:private
HTTP_CONTENT_LENGTH:367
HTTP_CONTENT_TYPE:application/soap+xml; charset=utf-8
HTTP_ACCEPT_ENCODING:gzip
HTTP_HOST:www.MyApplicationServer.com
HTTP_USER_AGENT:Google OpenSocial agent (http://www.google.com/
feedfetcher.html)
ALL_RAW Cache-Control: private
Content-Length: 367
Content-Type: application/soap+xml; charset=utf-8
Accept-Encoding: gzip
Host: www.MyApplicationServer.com
User-Agent: Google OpenSocial agent (http://www.google.com/
feedfetcher.html)
APPL_MD_PATH /LM/W3SVC/491520/ROOT/iApp
APPL_PHYSICAL_PATH E:\web\MyApplicationServer\htdocs\iApp\
AUTH_TYPE
AUTH_USER
AUTH_PASSWORD
LOGON_USER
REMOTE_USER
CERT_COOKIE
CERT_FLAGS
CERT_ISSUER
CERT_KEYSIZE
CERT_SECRETKEYSIZE
CERT_SERIALNUMBER
CERT_SERVER_ISSUER
CERT_SERVER_SUBJECT
CERT_SUBJECT
CONTENT_LENGTH 367
CONTENT_TYPE application/soap+xml; charset=utf-8
GATEWAY_INTERFACE CGI/1.1
HTTPS off
HTTPS_KEYSIZE
HTTPS_SECRETKEYSIZE
HTTPS_SERVER_ISSUER
HTTPS_SERVER_SUBJECT
INSTANCE_ID 491520
INSTANCE_META_PATH /LM/W3SVC/491520
LOCAL_ADDR 64.22.138.6
PATH_INFO /iApp/Service.asmx
PATH_TRANSLATED E:\web\MyApplicationServer\htdocs\iApp
\Service.asmx
QUERY_STRING
opensocial_owner_id=04260157720044639260&opensocial_viewer_id=04260157720044639260&opensocial_app_id=12536334869062616675&opensocial_app_url=http
%3A%2F%2Fwww.MyApplicationServer.com%2FiApp
%2FMyApplicationServer.xml&xoauth_signature_publickey=pub.
1199819524.-1556113204990931254.cer&oauth_consumer_key=orkut.com&oauth_signature_method=RSA-
SHA1&oauth_timestamp=1222446709&oauth_nonce=1222446709021876000&oauth_signature=LTpKRq12Oai5r
%2Fa4jlXDcjS%2Ff6rI1LdGfFHgmIHZ
%2B8MjKdBWcOBZkCIv0IT8TArLj3AefWGWIRJfQobfdLpXZUQXbdDOJI5%2BrjXd2jPLJPKZ5gkdzpwdC7O38GJymgbWe8k1g9l98SE08do37bwIjNYu
%2BS9n%2BtmtmHSfCC3L80g%3D
REMOTE_ADDR 66.249.85.131
REMOTE_HOST 66.249.85.131
REMOTE_PORT 58435
REQUEST_METHOD POST
SCRIPT_NAME /iApp/Service.asmx
SERVER_NAME www.MyApplicationServer.com
SERVER_PORT 80
SERVER_PORT_SECURE 0
SERVER_PROTOCOL HTTP/1.1
SERVER_SOFTWARE Microsoft-IIS/7.0
URL /iApp/Service.asmx
HTTP_CACHE_CONTROL private
HTTP_CONTENT_LENGTH 367
HTTP_CONTENT_TYPE application/soap+xml; charset=utf-8
HTTP_ACCEPT_ENCODING gzip
HTTP_HOST www.MyApplicationServer.com
HTTP_USER_AGENT Google OpenSocial agent (http://www.google.com/
feedfetcher.html)
*****
Akash
Sep 27, 2008, 4:43:27 AM9/27/08
to Orkut Developer Forum
I think I cracked the holy grail (At least for me:-)).
Client Side:-
I am using following javascript code to make a web service call.
var map = { "Content-Type" : "application/soap+xml;
charset=utf-8"};
var params = {};
soapRequest =
"<?xml version=\"1.0\" encoding=\"utf-8\"?>" +
"<soap12:Envelope " +
"xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" " +
"xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" " +
"xmlns:soap12=\"http://www.w3.org/2003/05/soap-envelope\">" +
"<soap12:Body>" +
"<" + method + " xmlns=\"" + ns + "\">" +
parameters.toXml() +
"</" + method + "></soap12:Body></soap12:Envelope>";
params[gadgets.io.RequestParameters.METHOD] =
gadgets.io.MethodType.POST;
params[gadgets.io.RequestParameters.CONTENT_TYPE] =
gadgets.io.ContentType.DOM;
params[gadgets.io.RequestParameters.HEADERS] = map;
params[gadgets.io.RequestParameters.AUTHORIZATION] =
gadgets.io.AuthorizationType.SIGNED;
params[gadgets.io.RequestParameters.POST_DATA] = soapRequest;
SOAPClient._onSendSoapRequest(method, async, callback, context, wsdl,
req);
}, params);
When the post request reach Orkut Proxy Container, it generates a base
req);
}, params);
signature string (http://oauth.net/core/1.0/#anchor14) by Concatenate
Request Elements
The following items MUST be concatenated in order into a single
string. Each item is encoded (Parameter Encoding) and separated by an
‘&’ character (ASCII code 38), even if empty.
1. The HTTP request method used to send the request. Value MUST be
uppercase, for example: HEAD, GET , POST, etc.
In our case it is "POST"
uppercase, for example: HEAD, GET , POST, etc.
2. The request URL from Section 9.1.2 (Construct Request URL).
3. The normalized request parameters string from Section 9.1.1
(Normalize Request Parameters).
opensocial_owner_id 04260157720044639260
opensocial_viewer_id 04260157720044639260
opensocial_app_id 12536334869062616675
oauth_timestamp 1222452522
oauth_nonce 1222452522836105000
Base signature string is signed(hashed) and a private key is input for
RSA-SHA1 algorithm and it generates a signature.
Finally orkut container makes a web service call to the application
server on behalf of orkut application.
IMPORTANT: Inside the web method all parameters added by orkut
container are available inside this.Context.Request.Params. These
parameters are
opensocial_owner_id 04260157720043639260
opensocial_viewer_id 04260157720043639260
opensocial_app_id 12536334849062616675
opensocial_app_url http://www.ApplicationServer.com/iApp/KM.xml
oauth_timestamp 1222452522
oauth_nonce 1222452522836105000
oauth_signature_method RSA-SHA1
oauth_signature Q1xim4r9e+3LOpObb6GWhGkw41a8MTc9a
+bNuleE8jwRyymXbdZNJBIq3N2RoC9Ojri2ha1V43Mj0JfovNDpYKoPnAUlwsUGzAp7KzpXcdAeyUw6txeCtkVSdsiWw7NhX/
btdJs2dQzbMKBptGAfLdwjCYThmqLqwDicHU1Dr34=
Verification:-
I am using the code http://code.google.com/p/devdefined-tools/wiki/OAuth
by http://code.google.com/u/bittercoder/ (Thank you for help and great
work)
I created OpenSocialCertificates.cs that has content of certificate
pub.1199819524.-1556113204990931254.cer
*****OpenSocialCertificates.cs *****
using System.Security.Cryptography.X509Certificates;
using System.Text;
namespace DevDefined.OAuth
{
public class OpenSocialCertificates
{
private const string _orkutCertificate =
@"-----BEGIN CERTIFICATE-----
MIIDHDCCAoWgAwIBAgIJAMbTCksqLiWeMA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIG
A1UEChMLR29vZ2xlIEluYy4xDjAMBgNVBAsTBU9ya3V0MQ4wDAYDVQQDEwVscnlh
bjAeFw0wODAxMDgxOTE1MjdaFw0wOTAxMDcxOTE1MjdaMGgxCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChML
R29vZ2xlIEluYy4xDjAMBgNVBAsTBU9ya3V0MQ4wDAYDVQQDEwVscnlhbjCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAseBXZ4NDhm24nX3sJRiZJhvy9eDZX12G
j4HWAMmhAcnm2iBgYpAigwhVHtOs+ZIUIdzQHvHeNd0ydc1Jg8e+C+Mlzo38OvaG
D3qwvzJ0LNn7L80c0XVrvEALdD9zrO+0XSZpTK9PJrl2W59lZlJFUk3pV+jFR8NY
eB/fto7AVtECAwEAAaOBzTCByjAdBgNVHQ4EFgQUv7TZGZaI+FifzjpTVjtPHSvb
XqUwgZoGA1UdIwSBkjCBj4AUv7TZGZaI+FifzjpTVjtPHSvbXqWhbKRqMGgxCzAJ
BgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEU
MBIGA1UEChMLR29vZ2xlIEluYy4xDjAMBgNVBAsTBU9ya3V0MQ4wDAYDVQQDEwVs
cnlhboIJAMbTCksqLiWeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA
CETnhlEnCJVDXoEtSSwUBLP/147sqiu9a4TNqchTHJObwTwDPUMaU6XIs2OTMmFu
GeIYpkHXzTa9Q6IKlc7Bt2xkSeY3siRWCxvZekMxPvv7YTcnaVlZzHrVfAzqNsTG
P3J//C0j+8JWg6G+zuo5k7pNRKDY76GxxHPYamdLfwk=
-----END CERTIFICATE-----";
public static X509Certificate2 OrkutCertificate
{
get { return new
X509Certificate2(Encoding.ASCII.GetBytes(_orkutCertificate)); }
}
}
}
I added another method inside OAuthContextBuilder.cs because the
parameters using for validation are inside datastructure
request.Params
public OAuthContext FromHttpParams(HttpRequest request)
{
var context = new OAuthContext();
// Required to create signature base string
// Http Method
context.RequestMethod = request.HttpMethod;
//Request URL
context.RawUri = new Uri("http://" +
request.Params["SERVER_NAME"] + request.Params["SCRIPT_NAME"]);
//Request parameters
context.authParams.Add("opensocial_owner_id",
request.Params["opensocial_owner_id"]);
context.authParams.Add("opensocial_viewer_id",
request.Params["opensocial_viewer_id"]);
context.authParams.Add("opensocial_app_id",
request.Params["opensocial_app_id"]);
context.authParams.Add("opensocial_app_url",
request.Params["opensocial_app_url"]);
context.authParams.Add("xoauth_signature_publickey",
request.Params["xoauth_signature_publickey"]);
context.authParams.Add(Parameters.OAuth_Consumer_Key,
request.Params[Parameters.OAuth_Consumer_Key]);
context.authParams.Add(Parameters.OAuth_Signature_Method,
request.Params[Parameters.OAuth_Signature_Method]);
context.authParams.Add(Parameters.OAuth_Timestamp,
request.Params[Parameters.OAuth_Timestamp]);
context.authParams.Add(Parameters.OAuth_Nonce,
request.Params[Parameters.OAuth_Nonce]);
//Algorithm used for signing
context.SignatureMethod =
request.Params[Parameters.OAuth_Signature_Method];
//Signature
context.Signature =
request.Params[Parameters.OAuth_Signature];
return context;
}
Inside OAuthContext.cs I added a name value collection named
authParams
public OAuthContext()
{
...
...
...
...
...
//Akash
authParams = new NameValueCollection();
}
...
...
...
...
...
public NameValueCollection authParams
{
get
{
if (_authParams == null) _authParams = new
NameValueCollection();
return _authParams;
}
set { _authParams = value; }
}
...
...
...
...
...
Following is the code for generating signature based
public string GenerateSignatureBaseAuthParams()
{
var allParameters = new List<QueryParameter>();
allParameters.AddRange(authParams.ToQueryParameters());
// Returns signature based
return UriUtility.FormatParameters(RequestMethod, new
Uri(NormalizedRequestUrl), allParameters);
}
Here is the code for validation
private static string ValidateWithDevDefinedOAuth(HttpRequest req)
{
string str = "Validated";
try
{
OAuthContext context = new
OAuthContextBuilder().FromHttpParams(req);
var signer = new OAuthContextSigner();
var signingContext = new SigningContext { Algorithm =
DevDefined.OAuth.OpenSocialCertificates.OrkutCertificate.PublicKey.Key };
if (!signer.ValidateSignatureAuthParams(context,
signingContext))
{
str += "Validation Failed\n";
throw new OAuthException(context,
OAuthProblems.SignatureInvalid, "check certificate is still valid");
}
}
catch (OAuthException authEx)
{
str = authEx.Report.ToString();
}
return str;
}
The code I have added is not a production quality code(Quite obvious).
Thanks,
-Akash
>
> read more »
Jason
Sep 30, 2008, 1:22:41 PM9/30/08
to Orkut Developer Forum
Are you able to successfully validate requests using this C# routine?
If so, very good work! :) You mention that your code isn't production-
quality, but if you wanted to polish it a bit, we would love to host
it on the opensocial-resources wiki with the PHP and Java
implementations.
- Jason
> In our case it ishttp://www.ApplicationServer.com/iApp/Service.asmx
> byhttp://code.google.com/u/bittercoder/(Thank you for help and great
> ...
>
> read more »
If so, very good work! :) You mention that your code isn't production-
quality, but if you wanted to polish it a bit, we would love to host
it on the opensocial-resources wiki with the PHP and Java
implementations.
- Jason
>
> read more »
Akash
Oct 2, 2008, 4:23:44 AM10/2/08
to Orkut Developer Forum
Hi Jason,
I am successfully validated the requests using this C# routine. I
did some negative testing as well and it is working great. Please go
ahead and post the code.
Thanks,
-Akash
> > +bNuleE8jwRyymXbdZNJBIq3N2RoC9Ojri2ha1V43Mj0JfovNDpYKoPnAUlwsUGzAp7KzpXcdAeyUw6txeCtkVSdsiWw7NhX/
> ...
>
> read more »- Hide quoted text -
I am successfully validated the requests using this C# routine. I
did some negative testing as well and it is working great. Please go
ahead and post the code.
Thanks,
-Akash
> > btdJs2dQzbMKBptGAfLdwjCYThmqLqwDicHU1Dr34=
>
> > Verification:-
>
> > I am using the codehttp://code.google.com/p/devdefined-tools/wiki/OAuth
> > byhttp://code.google.com/u/bittercoder/(Thankyou for help and great
>
> > Verification:-
>
> > I am using the codehttp://code.google.com/p/devdefined-tools/wiki/OAuth
>
> read more »- Hide quoted text -
Reply all
Reply to author
Forward
0 new messages