SpringPad Authorization and Callback issue...

[TP]

I'm working on a C# mobile (Silverlight) app and facing an issue with
the Authorization process. It takes me to the mobile sign-in page –
but displays a blank page once singed in. May be that's not the oAuth
authorization page at all? It does not redirect me to the Authorize
page ("Grant-Access") or Callback Url - as stated below (per the
docs)...

I did send an HTTP GET request to http://springpadit.com/developers/oauth/register-app
- signed with my consumer key and consumer secret - to register my app
(per docs again).
And my Callback Url is also valid...

Any inputs/leads are appreciated.

From the Docs:
-------------
Step 2: Redirect the user to Springpad's access page
With the request token, now redirect the user to Springpad where they
will be asked to grant your application access. In the following code
sample, we create the URL to direct the user to.

url = "http://springpadit.com/api/oauth-authorize%?s" % request_token
# produces:
http://springpadit.com/api/oauth-authorize?oauth_token_secret=0e71505050ab9c685b7b85aa37cb95cd&oauth_token=d51e15710bfee0a680cf06325b8fcb27

[Pete Aykroyd]

There is an issue with the redirect to mobile sign-in page. Because of that and some other hassles that people are having with using OAuth we are saying that it's ok to the header username/password auth via HTTPS. An example request would be like:

 curl -XGET \ 
      -H "X-Spring-Username: username" \ 
      -H "X-Spring-Password: password" \ 
      -H "X-Spring-Api-Token: yourConsumerToken"\ 
      -H "X-Spring-Client-Version: 1.0.0" \ 
      -H "X-Spring-Client: yourAppName" \ 
      -H "Content-Type: application/json; charset=UTF-8"\ 
      -H "Referer: http://your.app.com"\
      https://springpadit.com/api/users/me/blocks 

Let me know if you have any questions.

Cheers,

Pete

[TP]

You mean it's OK to use basic-authentication in a production-ready app?

[Pete Aykroyd]

Right. The major reasons for using OAuth1 were to

1. encrypt the packet so that service couldn't be compromised (and protect against replay attacks, etc)
2. prevent a third-party app (in this case you) from seeing the user's password

By using HTTPS we cover the first requirement. As to the second, the process of going out to a browser from inside an application for the user to authenticate is pretty wonky, even user hostile. There are many services that do not require this and are therefore easily integrated with (e.g., instapaper, gowalla). Oauth 2 is potentially the answer to this and we may go that way in the future.

In the meantime, we do still support oauth 1. I can let you know when we've had a chance to check on the bug that your reporting with the redirect.

Pete

[Joshua]

Has the OAuth authorization process changed recently? I'm testing some code and my request to http://springpadit.com/api/oauth-authorize with a request token is returning a 302 and I eventually end up getting sent to http://springpad.com/.

Thanks,

Josh

[Pete Aykroyd]

Hey Josh,

We switched our URL to springpad.com finally and OAuth doesn't handle the 302. The easiest thing to do is to change your URLs to all be springpad.com instead of springpadit.com. That will fix the problem. If you can't do that, let me know.

Pete

[Joshua Spaulding]

Thanks Pete. That worked.

[LinasJ]

The documentation that's published here still references springpadit.com in the URL for oauth-authorize:

https://springpad.com/developers/docs/api

The documentation should be updated.