You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Sergey Beryozkin <sb...@gmail.com> on 2014/02/03 14:32:26 UTC
Re: OAuth 1.0 And Signature With Query Params
Hi
I'm just looking at the code and I'm wondering if the client you are
referring to in the original email calculates the signature correctly or
not. Is it RESTConsole ?
Basically, the signature string should have the parameters (including
the URI query parameters) separated from the base URI.
This page shows it quite well:
https://dev.twitter.com/docs/auth/creating-signature
I'm coming to the conclusion the problem is with the 3rd party client code
Thanks, Sergey
On 31/01/14 18:50, icoleman wrote:
> Hi Sergey,
>
> Thanks for taking the time to respond.
>
> I was able to capture the raw headers as they passed through Fiddler (a
> debugging proxy) and the successful authorization request looks like:
>
>
>
> While the unsuccessful one generated by REST Console:
>
>
>
> I did try to update the content type and accept headers for the failed
> request to read...
>
>
>
> ...but that didn't seem to make any difference either.
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-And-Signature-With-Query-Params-tp5739357p5739361.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: OAuth 1.0 And Signature With Query Params
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi Ian
On 03/02/14 14:34, icoleman wrote:
> Hi Sergey,
>
> Interesting... In that case, perhaps the issue is
> OAuthClientUtils.createAuthorizationHeader(consumer, token, httpMethod,
>> uri)... That method generates the signature based on a URI which includes
> the query parameters... As an initial workaround I was stripping the query
> params from the URI for the purpose of signature generation. I did this via
> a PhaseInterceptor as follows:
>
> public class OAuthHeaderInterceptor extends
> AbstractPhaseInterceptor<Message>
> {
> private KioskOAuthCredentials credentials;
> public OAuthHeaderInterceptor(final KioskOAuthCredentials credentials)
> {
> super(Phase.POST_LOGICAL);
> this.credentials = credentials;
> }
>
> @Override
> public void handleMessage(Message message) throws Fault
> {
> String uri = (String)message.get(Message.ENDPOINT_ADDRESS);
> // Strip any query params for authentication purposes--otherwise
> remote auth fails...
> if (uri.contains("?"))
> uri = uri.substring(0,uri.indexOf("?"));
>
> String httpMethod =
> (String)message.get(Message.HTTP_REQUEST_METHOD);
> OAuthClientUtils.Consumer consumer = new
> OAuthClientUtils.Consumer(credentials.getConsumerKey(),credentials.getConsumerSecret());
> OAuthClientUtils.Token token = new
> OAuthClientUtils.Token(credentials.getTokenKey(),credentials.getTokenSecret());
> String authHeader =
> OAuthClientUtils.createAuthorizationHeader(consumer,token,httpMethod,uri);
> Map<String, List<String>> headerMap = (Map<String,
> List<String>>)message.get(Message.PROTOCOL_HEADERS);
> headerMap.put("Authorization", Arrays.asList(authHeader));
> }
> }
>
> That seemed to work as well, but I was worried about non-standard behavior.
> Either way it seems like OAuthClientUtils.createAuthorizationHeader may
> need tweaking since the current behavior is to include the query param
> substring.
>
Why do you think it does ? I can see it delegates OAuth 1.0 core library
which actually strips a query component if any from the base URL and
adds that query as parameters.
Cheers, Sergey
> Best,
>
> Ian
>
>
> On Mon, Feb 3, 2014 at 8:33 AM, Sergey Beryozkin [via CXF] <
> ml-node+s547215n5739390h67@n5.nabble.com> wrote:
>
>> Hi
>>
>> I'm just looking at the code and I'm wondering if the client you are
>> referring to in the original email calculates the signature correctly or
>> not. Is it RESTConsole ?
>>
>> Basically, the signature string should have the parameters (including
>> the URI query parameters) separated from the base URI.
>>
>> This page shows it quite well:
>>
>> https://dev.twitter.com/docs/auth/creating-signature
>>
>> I'm coming to the conclusion the problem is with the 3rd party client code
>>
>> Thanks, Sergey
>>
>>
>> On 31/01/14 18:50, icoleman wrote:
>>
>>> Hi Sergey,
>>>
>>> Thanks for taking the time to respond.
>>>
>>> I was able to capture the raw headers as they passed through Fiddler (a
>>> debugging proxy) and the successful authorization request looks like:
>>>
>>>
>>>
>>> While the unsuccessful one generated by REST Console:
>>>
>>>
>>>
>>> I did try to update the content type and accept headers for the failed
>>> request to read...
>>>
>>>
>>>
>>> ...but that didn't seem to make any difference either.
>>>
>>>
>>>
>>> --
>>> View this message in context:
>> http://cxf.547215.n5.nabble.com/OAuth-1-0-And-Signature-With-Query-Params-tp5739357p5739361.html
>>
>>> Sent from the cxf-user mailing list archive at Nabble.com.
>>>
>>
>>
>> --
>> Sergey Beryozkin
>>
>> Talend Community Coders
>> http://coders.talend.com/
>>
>> Blog: http://sberyozkin.blogspot.com
>>
>>
>> ------------------------------
>> If you reply to this email, your message will be added to the discussion
>> below:
>>
>> http://cxf.547215.n5.nabble.com/OAuth-1-0-And-Signature-With-Query-Params-tp5739357p5739390.html
>> To unsubscribe from OAuth 1.0 And Signature With Query Params, click here<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5739357&code=aWJjb2xlbWFuQGdtYWlsLmNvbXw1NzM5MzU3fC0xMTM1MjM4NTc3>
>> .
>> NAML<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>>
>
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-And-Signature-With-Query-Params-tp5739357p5739396.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: OAuth 1.0 And Signature With Query Params
Posted by icoleman <ib...@gmail.com>.
Hi Sergey,
Interesting... In that case, perhaps the issue is
OAuthClientUtils.createAuthorizationHeader(consumer, token, httpMethod,
> uri)... That method generates the signature based on a URI which includes
the query parameters... As an initial workaround I was stripping the query
params from the URI for the purpose of signature generation. I did this via
a PhaseInterceptor as follows:
public class OAuthHeaderInterceptor extends
AbstractPhaseInterceptor<Message>
{
private KioskOAuthCredentials credentials;
public OAuthHeaderInterceptor(final KioskOAuthCredentials credentials)
{
super(Phase.POST_LOGICAL);
this.credentials = credentials;
}
@Override
public void handleMessage(Message message) throws Fault
{
String uri = (String)message.get(Message.ENDPOINT_ADDRESS);
// Strip any query params for authentication purposes--otherwise
remote auth fails...
if (uri.contains("?"))
uri = uri.substring(0,uri.indexOf("?"));
String httpMethod =
(String)message.get(Message.HTTP_REQUEST_METHOD);
OAuthClientUtils.Consumer consumer = new
OAuthClientUtils.Consumer(credentials.getConsumerKey(),credentials.getConsumerSecret());
OAuthClientUtils.Token token = new
OAuthClientUtils.Token(credentials.getTokenKey(),credentials.getTokenSecret());
String authHeader =
OAuthClientUtils.createAuthorizationHeader(consumer,token,httpMethod,uri);
Map<String, List<String>> headerMap = (Map<String,
List<String>>)message.get(Message.PROTOCOL_HEADERS);
headerMap.put("Authorization", Arrays.asList(authHeader));
}
}
That seemed to work as well, but I was worried about non-standard behavior.
Either way it seems like OAuthClientUtils.createAuthorizationHeader may
need tweaking since the current behavior is to include the query param
substring.
Best,
Ian
On Mon, Feb 3, 2014 at 8:33 AM, Sergey Beryozkin [via CXF] <
ml-node+s547215n5739390h67@n5.nabble.com> wrote:
> Hi
>
> I'm just looking at the code and I'm wondering if the client you are
> referring to in the original email calculates the signature correctly or
> not. Is it RESTConsole ?
>
> Basically, the signature string should have the parameters (including
> the URI query parameters) separated from the base URI.
>
> This page shows it quite well:
>
> https://dev.twitter.com/docs/auth/creating-signature
>
> I'm coming to the conclusion the problem is with the 3rd party client code
>
> Thanks, Sergey
>
>
> On 31/01/14 18:50, icoleman wrote:
>
> > Hi Sergey,
> >
> > Thanks for taking the time to respond.
> >
> > I was able to capture the raw headers as they passed through Fiddler (a
> > debugging proxy) and the successful authorization request looks like:
> >
> >
> >
> > While the unsuccessful one generated by REST Console:
> >
> >
> >
> > I did try to update the content type and accept headers for the failed
> > request to read...
> >
> >
> >
> > ...but that didn't seem to make any difference either.
> >
> >
> >
> > --
> > View this message in context:
> http://cxf.547215.n5.nabble.com/OAuth-1-0-And-Signature-With-Query-Params-tp5739357p5739361.html
>
> > Sent from the cxf-user mailing list archive at Nabble.com.
> >
>
>
> --
> Sergey Beryozkin
>
> Talend Community Coders
> http://coders.talend.com/
>
> Blog: http://sberyozkin.blogspot.com
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://cxf.547215.n5.nabble.com/OAuth-1-0-And-Signature-With-Query-Params-tp5739357p5739390.html
> To unsubscribe from OAuth 1.0 And Signature With Query Params, click here<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5739357&code=aWJjb2xlbWFuQGdtYWlsLmNvbXw1NzM5MzU3fC0xMTM1MjM4NTc3>
> .
> NAML<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-And-Signature-With-Query-Params-tp5739357p5739396.html
Sent from the cxf-user mailing list archive at Nabble.com.