You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by Gonzalo Aune <go...@gmail.com> on 2008/07/08 18:00:43 UTC
Re: oauth + partuza
In the example, it mention to use:
params[gadgets.io.RequestParameters.AUTHORIZATION] =
gadgets.io.AuthorizationType.SIGNED;
but this was changed to
params[gadgets.io.RequestParameters.AUTHORIZATION] =
gadgets.io.AuthorizationType.OAUTH;
Change it and tell me if it works, ill testing it in my environment
too, but please let me know if changing that works.
G.-
On Tue, Jul 8, 2008 at 7:57 AM, Bartolome serapio <ba...@gmail.com> wrote:
> Hi.
> I'm using the follow example from orkut.
> http://code.google.com/p/opensocial-resources/wiki/OrkutValidatingSig...
>
> //My php code that process the request is :
>
>
> require_once("classes/CertFileAccessor.php");
> $payload = array();
> $cert_accessor = new CertFileAccessor('/var/www/certs', '');
> $cert = $cert_accessor-
>
>
>
> >getPublicKey($_REQUEST['xoauth_signature_publickey']);
>
>
> if ($cert != null) {
>
> $req = new OAuthRequest($_SERVER["REQUEST_METHOD"], $url,
> array_merge($_GET, $_POST));
> $sig = array(
> OAuthUtil::urlencodeRFC3986($req-
>
>
> >get_normalized_http_method()),
>
>
> OAuthUtil::urlencodeRFC3986($req-
>
> >get_normalized_http_url()),
>
>
> OAuthUtil::urlencodeRFC3986($req-
>
> >get_signable_parameters()),
>
>
> );
> $raw = implode("&", $sig);
> $signature = base64_decode($_GET["oauth_signature"]);
> $publickeyid = openssl_get_publickey($cert);
> $auth_ok = openssl_verify($raw, $signature, $publickeyid);
> openssl_free_key($publickeyid);
> } else {
> $payload['cert'] = 'missing';
> }
>
> if ($auth_ok == true) {
> $payload["validated"] = "Success! The data was validated";
> } else {
> $payload["validated"] = "This request was spoofed";
> }
>
>
> $payload["query"] = array_merge($_GET, $_POST);
> $payload["rawpost"] = file_get_contents("php://input");
>
>
> //Return the response as JSON
> print(json_encode($payload));
>
>
> http://blog.springenwerk.com/2008/04/poor-man-php-key-cache-for-orkut...
> ( Class CertFileAccessor.php)
> This is the application response (in a beauty mode :) )
> oauth_consumer_key: default
> oauth_nonce: 8b7398e76ed1f712a42e00663831d451
> oauth_signature: e/
> dXiMeDw9eaSWbPAQlKpxk3xkHH9VPEbYObFgyCI4KK7jTkNKS0XNihrzkanKZtNylK6ma
> +7A5seIbLKkocd3ci6+gKNnK6lXBSS2bWyTSedy5p7rSOUGXpVsSMM9pAvlty54HUxCjB63QPSWkLu1qV5ROxMgiq8kqUzBWAp2c=
>
> oauth_signature_method: RSA-SHA1
> oauth_timestamp: 1215172597
> oauth_token:
> opensocial_appid:
> opensocial_ownerid:
> xoauth_signature_publickey: http://shindig/public.crt
>
>
> throw 1; < don't be evil' >{"http:\/\/new2.ligamessenger.local\/
> profile.php":{"body":"\n{\"validated
>
>
> \":\"This request was spoofed\",\"query\":{\"oauth_nonce\":
> \"8b7398e76ed1f712a42e00663831d451\",\"oauth_timestamp
>
>
> \":\"1215172597\",\"oauth_consumer_key\":\"default\",\"synd\":\"partuza
> \",\"container\":\"partuza\",
>
>
> \"opensocial_owner_id\":\"4\",\"opensocial_viewer_id\":\"4\",
> \"opensocial_app_id\":\"22\",\"oauth_token
>
>
> \":\"\",\"xoauth_signature_publickey\":\"http:\\\/\\\/shindig\\\/
> public.crt\",\"oauth_signature_method
>
>
> \":\"RSA-SHA1\",\"oauth_signature\":\"e\\\/
> dXiMeDw9eaSWbPAQlKpxk3xkHH9VPEbYObFgyCI4KK7jTkNKS0XNihrzkanKZtNylK6ma
>
>
> +7A5seIbLKkocd3ci6+gKNnK6lXBSS2bWyTSedy5p7rSOUGXpVsSMM9pAvlty54HUxCjB63QPSWkLu1qV5ROxMgiq8kqUzBWAp2c
>
>
>
> =\"},\"rawpost\":\"\"}","rc":200}}
>
>
> Always obtain the same result
> Could you help me?
> svn version of Shindig : Updated to revision 674024.
> svn version of partuza: Updated to revision 82
>
>
Re: oauth + partuza
Posted by Gonzalo Aune <go...@gmail.com>.
I tested with the Java version and it seems that doesnt work too, si i guess
the example at some point is wrong, anyone has tested it with success?
G.-
On Tue, Jul 8, 2008 at 2:37 PM, Gonzalo Aune <go...@gmail.com> wrote:
> My mistake, the type was fine, OAUTH replaces AUTHORIZATION, so its fine
> with SIGNED, let me fully check the example and i let you know.
>
> G.-
>
>
> On Tue, Jul 8, 2008 at 2:05 PM, Bartolome Serapio <ba...@gmail.com>
> wrote:
>
>> Thanks for your answer Gonzalo. I made these test with bad result
>>
>> a) Change SIGNED to OAUTH in the request
>> b) add <Require feature="oauth"/>
>> c) change <Require feature="opensocial-0.7"/> to <Require
>> feature="opensocial-0.8"/>
>>
>>
>>
>>
>> throw 1; < don't be evil'
>>
>> >{"http:\/\/new2.ligamessenger.local\/profile.php?nocache=1215536231101":{"oauthError"
>>
>> :"BAD_OAUTH_CONFIGURATION","oauthErrorText":"gadget spec is missing
>> \/ModulePrefs\/OAuth section\n\n"
>>
>> }}
>>
>>
>> Well I tested on shindig directly change my local.php and from partuza
>>
>>
>>
>>
>>
>>
>> On Tue, Jul 8, 2008 at 6:00 PM, Gonzalo Aune <go...@gmail.com>
>> wrote:
>>
>> > In the example, it mention to use:
>> >
>> > params[gadgets.io.RequestParameters.AUTHORIZATION] =
>> > gadgets.io.AuthorizationType.SIGNED;
>> >
>> > but this was changed to
>> >
>> > params[gadgets.io.RequestParameters.AUTHORIZATION] =
>> > gadgets.io.AuthorizationType.OAUTH;
>> >
>> > Change it and tell me if it works, ill testing it in my environment
>> > too, but please let me know if changing that works.
>> >
>> > G.-
>> >
>> >
>> > On Tue, Jul 8, 2008 at 7:57 AM, Bartolome serapio <ba...@gmail.com>
>> > wrote:
>> >
>> > > Hi.
>> > > I'm using the follow example from orkut.
>> > >
>> http://code.google.com/p/opensocial-resources/wiki/OrkutValidatingSig...
>> > >
>> > > //My php code that process the request is :
>> > >
>> > >
>> > > require_once("classes/CertFileAccessor.php");
>> > > $payload = array();
>> > > $cert_accessor = new CertFileAccessor('/var/www/certs', '');
>> > > $cert = $cert_accessor-
>> > >
>> > >
>> > >
>> > > >getPublicKey($_REQUEST['xoauth_signature_publickey']);
>> > >
>> > >
>> > > if ($cert != null) {
>> > >
>> > > $req = new OAuthRequest($_SERVER["REQUEST_METHOD"], $url,
>> > > array_merge($_GET, $_POST));
>> > > $sig = array(
>> > > OAuthUtil::urlencodeRFC3986($req-
>> > >
>> > >
>> > > >get_normalized_http_method()),
>> > >
>> > >
>> > > OAuthUtil::urlencodeRFC3986($req-
>> > >
>> > > >get_normalized_http_url()),
>> > >
>> > >
>> > > OAuthUtil::urlencodeRFC3986($req-
>> > >
>> > > >get_signable_parameters()),
>> > >
>> > >
>> > > );
>> > > $raw = implode("&", $sig);
>> > > $signature = base64_decode($_GET["oauth_signature"]);
>> > > $publickeyid = openssl_get_publickey($cert);
>> > > $auth_ok = openssl_verify($raw, $signature, $publickeyid);
>> > > openssl_free_key($publickeyid);
>> > > } else {
>> > > $payload['cert'] = 'missing';
>> > > }
>> > >
>> > > if ($auth_ok == true) {
>> > > $payload["validated"] = "Success! The data was validated";
>> > > } else {
>> > > $payload["validated"] = "This request was spoofed";
>> > > }
>> > >
>> > >
>> > > $payload["query"] = array_merge($_GET, $_POST);
>> > > $payload["rawpost"] = file_get_contents("php://input");
>> > >
>> > >
>> > > //Return the response as JSON
>> > > print(json_encode($payload));
>> > >
>> > >
>> > >
>> http://blog.springenwerk.com/2008/04/poor-man-php-key-cache-for-orkut...
>> > > ( Class CertFileAccessor.php)
>> > > This is the application response (in a beauty mode :) )
>> > > oauth_consumer_key: default
>> > > oauth_nonce: 8b7398e76ed1f712a42e00663831d451
>> > > oauth_signature: e/
>> > > dXiMeDw9eaSWbPAQlKpxk3xkHH9VPEbYObFgyCI4KK7jTkNKS0XNihrzkanKZtNylK6ma
>> > >
>> >
>> +7A5seIbLKkocd3ci6+gKNnK6lXBSS2bWyTSedy5p7rSOUGXpVsSMM9pAvlty54HUxCjB63QPSWkLu1qV5ROxMgiq8kqUzBWAp2c=
>> > >
>> > > oauth_signature_method: RSA-SHA1
>> > > oauth_timestamp: 1215172597
>> > > oauth_token:
>> > > opensocial_appid:
>> > > opensocial_ownerid:
>> > > xoauth_signature_publickey: http://shindig/public.crt
>> > >
>> > >
>> > > throw 1; < don't be evil' >{"http:\/\/new2.ligamessenger.local\/
>> > > profile.php":{"body":"\n{\"validated
>> > >
>> > >
>> > > \":\"This request was spoofed\",\"query\":{\"oauth_nonce\":
>> > > \"8b7398e76ed1f712a42e00663831d451\",\"oauth_timestamp
>> > >
>> > >
>> > >
>> \":\"1215172597\",\"oauth_consumer_key\":\"default\",\"synd\":\"partuza
>> > > \",\"container\":\"partuza\",
>> > >
>> > >
>> > > \"opensocial_owner_id\":\"4\",\"opensocial_viewer_id\":\"4\",
>> > > \"opensocial_app_id\":\"22\",\"oauth_token
>> > >
>> > >
>> > > \":\"\",\"xoauth_signature_publickey\":\"http:\\\/\\\/shindig\\\/
>> > > public.crt\",\"oauth_signature_method
>> > >
>> > >
>> > > \":\"RSA-SHA1\",\"oauth_signature\":\"e\\\/
>> > > dXiMeDw9eaSWbPAQlKpxk3xkHH9VPEbYObFgyCI4KK7jTkNKS0XNihrzkanKZtNylK6ma
>> > >
>> > >
>> > >
>> >
>> +7A5seIbLKkocd3ci6+gKNnK6lXBSS2bWyTSedy5p7rSOUGXpVsSMM9pAvlty54HUxCjB63QPSWkLu1qV5ROxMgiq8kqUzBWAp2c
>> > >
>> > >
>> > >
>> > > =\"},\"rawpost\":\"\"}","rc":200}}
>> > >
>> > >
>> > > Always obtain the same result
>> > > Could you help me?
>> > > svn version of Shindig : Updated to revision 674024.
>> > > svn version of partuza: Updated to revision 82
>> > >
>> > >
>> >
>>
>
>
Re: oauth + partuza
Posted by Gonzalo Aune <go...@gmail.com>.
My mistake, the type was fine, OAUTH replaces AUTHORIZATION, so its fine
with SIGNED, let me fully check the example and i let you know.
G.-
On Tue, Jul 8, 2008 at 2:05 PM, Bartolome Serapio <ba...@gmail.com> wrote:
> Thanks for your answer Gonzalo. I made these test with bad result
>
> a) Change SIGNED to OAUTH in the request
> b) add <Require feature="oauth"/>
> c) change <Require feature="opensocial-0.7"/> to <Require
> feature="opensocial-0.8"/>
>
>
>
>
> throw 1; < don't be evil'
>
> >{"http:\/\/new2.ligamessenger.local\/profile.php?nocache=1215536231101":{"oauthError"
>
> :"BAD_OAUTH_CONFIGURATION","oauthErrorText":"gadget spec is missing
> \/ModulePrefs\/OAuth section\n\n"
>
> }}
>
>
> Well I tested on shindig directly change my local.php and from partuza
>
>
>
>
>
>
> On Tue, Jul 8, 2008 at 6:00 PM, Gonzalo Aune <go...@gmail.com>
> wrote:
>
> > In the example, it mention to use:
> >
> > params[gadgets.io.RequestParameters.AUTHORIZATION] =
> > gadgets.io.AuthorizationType.SIGNED;
> >
> > but this was changed to
> >
> > params[gadgets.io.RequestParameters.AUTHORIZATION] =
> > gadgets.io.AuthorizationType.OAUTH;
> >
> > Change it and tell me if it works, ill testing it in my environment
> > too, but please let me know if changing that works.
> >
> > G.-
> >
> >
> > On Tue, Jul 8, 2008 at 7:57 AM, Bartolome serapio <ba...@gmail.com>
> > wrote:
> >
> > > Hi.
> > > I'm using the follow example from orkut.
> > > http://code.google.com/p/opensocial-resources/wiki/OrkutValidatingSig.
> ..
> > >
> > > //My php code that process the request is :
> > >
> > >
> > > require_once("classes/CertFileAccessor.php");
> > > $payload = array();
> > > $cert_accessor = new CertFileAccessor('/var/www/certs', '');
> > > $cert = $cert_accessor-
> > >
> > >
> > >
> > > >getPublicKey($_REQUEST['xoauth_signature_publickey']);
> > >
> > >
> > > if ($cert != null) {
> > >
> > > $req = new OAuthRequest($_SERVER["REQUEST_METHOD"], $url,
> > > array_merge($_GET, $_POST));
> > > $sig = array(
> > > OAuthUtil::urlencodeRFC3986($req-
> > >
> > >
> > > >get_normalized_http_method()),
> > >
> > >
> > > OAuthUtil::urlencodeRFC3986($req-
> > >
> > > >get_normalized_http_url()),
> > >
> > >
> > > OAuthUtil::urlencodeRFC3986($req-
> > >
> > > >get_signable_parameters()),
> > >
> > >
> > > );
> > > $raw = implode("&", $sig);
> > > $signature = base64_decode($_GET["oauth_signature"]);
> > > $publickeyid = openssl_get_publickey($cert);
> > > $auth_ok = openssl_verify($raw, $signature, $publickeyid);
> > > openssl_free_key($publickeyid);
> > > } else {
> > > $payload['cert'] = 'missing';
> > > }
> > >
> > > if ($auth_ok == true) {
> > > $payload["validated"] = "Success! The data was validated";
> > > } else {
> > > $payload["validated"] = "This request was spoofed";
> > > }
> > >
> > >
> > > $payload["query"] = array_merge($_GET, $_POST);
> > > $payload["rawpost"] = file_get_contents("php://input");
> > >
> > >
> > > //Return the response as JSON
> > > print(json_encode($payload));
> > >
> > >
> > > http://blog.springenwerk.com/2008/04/poor-man-php-key-cache-for-orkut.
> ..
> > > ( Class CertFileAccessor.php)
> > > This is the application response (in a beauty mode :) )
> > > oauth_consumer_key: default
> > > oauth_nonce: 8b7398e76ed1f712a42e00663831d451
> > > oauth_signature: e/
> > > dXiMeDw9eaSWbPAQlKpxk3xkHH9VPEbYObFgyCI4KK7jTkNKS0XNihrzkanKZtNylK6ma
> > >
> >
> +7A5seIbLKkocd3ci6+gKNnK6lXBSS2bWyTSedy5p7rSOUGXpVsSMM9pAvlty54HUxCjB63QPSWkLu1qV5ROxMgiq8kqUzBWAp2c=
> > >
> > > oauth_signature_method: RSA-SHA1
> > > oauth_timestamp: 1215172597
> > > oauth_token:
> > > opensocial_appid:
> > > opensocial_ownerid:
> > > xoauth_signature_publickey: http://shindig/public.crt
> > >
> > >
> > > throw 1; < don't be evil' >{"http:\/\/new2.ligamessenger.local\/
> > > profile.php":{"body":"\n{\"validated
> > >
> > >
> > > \":\"This request was spoofed\",\"query\":{\"oauth_nonce\":
> > > \"8b7398e76ed1f712a42e00663831d451\",\"oauth_timestamp
> > >
> > >
> > > \":\"1215172597\",\"oauth_consumer_key\":\"default\",\"synd\":\"partuza
> > > \",\"container\":\"partuza\",
> > >
> > >
> > > \"opensocial_owner_id\":\"4\",\"opensocial_viewer_id\":\"4\",
> > > \"opensocial_app_id\":\"22\",\"oauth_token
> > >
> > >
> > > \":\"\",\"xoauth_signature_publickey\":\"http:\\\/\\\/shindig\\\/
> > > public.crt\",\"oauth_signature_method
> > >
> > >
> > > \":\"RSA-SHA1\",\"oauth_signature\":\"e\\\/
> > > dXiMeDw9eaSWbPAQlKpxk3xkHH9VPEbYObFgyCI4KK7jTkNKS0XNihrzkanKZtNylK6ma
> > >
> > >
> > >
> >
> +7A5seIbLKkocd3ci6+gKNnK6lXBSS2bWyTSedy5p7rSOUGXpVsSMM9pAvlty54HUxCjB63QPSWkLu1qV5ROxMgiq8kqUzBWAp2c
> > >
> > >
> > >
> > > =\"},\"rawpost\":\"\"}","rc":200}}
> > >
> > >
> > > Always obtain the same result
> > > Could you help me?
> > > svn version of Shindig : Updated to revision 674024.
> > > svn version of partuza: Updated to revision 82
> > >
> > >
> >
>
Re: oauth + partuza
Posted by Bartolome Serapio <ba...@gmail.com>.
Thanks for your answer Gonzalo. I made these test with bad result
a) Change SIGNED to OAUTH in the request
b) add <Require feature="oauth"/>
c) change <Require feature="opensocial-0.7"/> to <Require
feature="opensocial-0.8"/>
throw 1; < don't be evil'
>{"http:\/\/new2.ligamessenger.local\/profile.php?nocache=1215536231101":{"oauthError"
:"BAD_OAUTH_CONFIGURATION","oauthErrorText":"gadget spec is missing
\/ModulePrefs\/OAuth section\n\n"
}}
Well I tested on shindig directly change my local.php and from partuza
On Tue, Jul 8, 2008 at 6:00 PM, Gonzalo Aune <go...@gmail.com> wrote:
> In the example, it mention to use:
>
> params[gadgets.io.RequestParameters.AUTHORIZATION] =
> gadgets.io.AuthorizationType.SIGNED;
>
> but this was changed to
>
> params[gadgets.io.RequestParameters.AUTHORIZATION] =
> gadgets.io.AuthorizationType.OAUTH;
>
> Change it and tell me if it works, ill testing it in my environment
> too, but please let me know if changing that works.
>
> G.-
>
>
> On Tue, Jul 8, 2008 at 7:57 AM, Bartolome serapio <ba...@gmail.com>
> wrote:
>
> > Hi.
> > I'm using the follow example from orkut.
> > http://code.google.com/p/opensocial-resources/wiki/OrkutValidatingSig...
> >
> > //My php code that process the request is :
> >
> >
> > require_once("classes/CertFileAccessor.php");
> > $payload = array();
> > $cert_accessor = new CertFileAccessor('/var/www/certs', '');
> > $cert = $cert_accessor-
> >
> >
> >
> > >getPublicKey($_REQUEST['xoauth_signature_publickey']);
> >
> >
> > if ($cert != null) {
> >
> > $req = new OAuthRequest($_SERVER["REQUEST_METHOD"], $url,
> > array_merge($_GET, $_POST));
> > $sig = array(
> > OAuthUtil::urlencodeRFC3986($req-
> >
> >
> > >get_normalized_http_method()),
> >
> >
> > OAuthUtil::urlencodeRFC3986($req-
> >
> > >get_normalized_http_url()),
> >
> >
> > OAuthUtil::urlencodeRFC3986($req-
> >
> > >get_signable_parameters()),
> >
> >
> > );
> > $raw = implode("&", $sig);
> > $signature = base64_decode($_GET["oauth_signature"]);
> > $publickeyid = openssl_get_publickey($cert);
> > $auth_ok = openssl_verify($raw, $signature, $publickeyid);
> > openssl_free_key($publickeyid);
> > } else {
> > $payload['cert'] = 'missing';
> > }
> >
> > if ($auth_ok == true) {
> > $payload["validated"] = "Success! The data was validated";
> > } else {
> > $payload["validated"] = "This request was spoofed";
> > }
> >
> >
> > $payload["query"] = array_merge($_GET, $_POST);
> > $payload["rawpost"] = file_get_contents("php://input");
> >
> >
> > //Return the response as JSON
> > print(json_encode($payload));
> >
> >
> > http://blog.springenwerk.com/2008/04/poor-man-php-key-cache-for-orkut...
> > ( Class CertFileAccessor.php)
> > This is the application response (in a beauty mode :) )
> > oauth_consumer_key: default
> > oauth_nonce: 8b7398e76ed1f712a42e00663831d451
> > oauth_signature: e/
> > dXiMeDw9eaSWbPAQlKpxk3xkHH9VPEbYObFgyCI4KK7jTkNKS0XNihrzkanKZtNylK6ma
> >
> +7A5seIbLKkocd3ci6+gKNnK6lXBSS2bWyTSedy5p7rSOUGXpVsSMM9pAvlty54HUxCjB63QPSWkLu1qV5ROxMgiq8kqUzBWAp2c=
> >
> > oauth_signature_method: RSA-SHA1
> > oauth_timestamp: 1215172597
> > oauth_token:
> > opensocial_appid:
> > opensocial_ownerid:
> > xoauth_signature_publickey: http://shindig/public.crt
> >
> >
> > throw 1; < don't be evil' >{"http:\/\/new2.ligamessenger.local\/
> > profile.php":{"body":"\n{\"validated
> >
> >
> > \":\"This request was spoofed\",\"query\":{\"oauth_nonce\":
> > \"8b7398e76ed1f712a42e00663831d451\",\"oauth_timestamp
> >
> >
> > \":\"1215172597\",\"oauth_consumer_key\":\"default\",\"synd\":\"partuza
> > \",\"container\":\"partuza\",
> >
> >
> > \"opensocial_owner_id\":\"4\",\"opensocial_viewer_id\":\"4\",
> > \"opensocial_app_id\":\"22\",\"oauth_token
> >
> >
> > \":\"\",\"xoauth_signature_publickey\":\"http:\\\/\\\/shindig\\\/
> > public.crt\",\"oauth_signature_method
> >
> >
> > \":\"RSA-SHA1\",\"oauth_signature\":\"e\\\/
> > dXiMeDw9eaSWbPAQlKpxk3xkHH9VPEbYObFgyCI4KK7jTkNKS0XNihrzkanKZtNylK6ma
> >
> >
> >
> +7A5seIbLKkocd3ci6+gKNnK6lXBSS2bWyTSedy5p7rSOUGXpVsSMM9pAvlty54HUxCjB63QPSWkLu1qV5ROxMgiq8kqUzBWAp2c
> >
> >
> >
> > =\"},\"rawpost\":\"\"}","rc":200}}
> >
> >
> > Always obtain the same result
> > Could you help me?
> > svn version of Shindig : Updated to revision 674024.
> > svn version of partuza: Updated to revision 82
> >
> >
>