You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Jordi Torrente (JIRA)" <ji...@apache.org> on 2012/05/02 15:26:56 UTC

[jira] [Updated] (CXF-4283) OAuth 2-leg getAccessToken Error

     [ https://issues.apache.org/jira/browse/CXF-4283?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jordi Torrente updated CXF-4283:
--------------------------------

    Description: 
After the preauthorized request token has been obtained, if we request the access token using org.apache.cxf.rs.security.oauth.client.OAuthClientUtils.getAccessToken() providing a null value for verifier, the following error occurs:

org.apache.cxf.rs.security.oauth.provider.OAuthServiceException: Status : 401
Headers : 
WWW-Authenticate : OAuth realm="null", oauth_problem="verifier_invalid"
Date : Wed, 02 May 2012 13:07:58 GMT
Content-Length : 16
Content-Type : application/x-www-form-urlencoded
Server : Apache-Coyote/1.1

	at org.apache.cxf.rs.security.oauth.client.OAuthClientUtils.getToken(OAuthClientUtils.java:191)
	at org.apache.cxf.rs.security.oauth.client.OAuthClientUtils.getAccessToken(OAuthClientUtils.java:112)
	
 
As you can see, the request OAuth header sent includes an empty oauth_verifier parameter:

Authorization=[OAuth oauth_signature_method="HMAC-SHA1", oauth_consumer_key="9ab45d4a483b10719b72c73fff513342aa814a9", oauth_token="afb0c0d63d948872aa4cfa07b75f6788e4a2a98", oauth_verifier="", oauth_timestamp="1335964079", oauth_nonce="1335964079434845000", oauth_version="1.0", oauth_signature="4drUvMJ4pJm25QJkKIb6bSwKnio%3D"]

So, when processing the message at server side (inside AccessTokenHandler class) a non-null verifier parameter is obtained and its validation always fails:

String oauthVerifier = oAuthMessage.getParameter(OAuth.OAUTH_VERIFIER);
if (oauthVerifier == null) {
    if (requestToken.getSubject() != null && requestToken.isPreAuthorized()) {
        LOG.fine("Preauthorized request token");
    } else {
        throw new OAuthProblemException(OAuthConstants.VERIFIER_INVALID);
    }
} else if (!oauthVerifier.equals(requestToken.getVerifier())) {
    throw new OAuthProblemException(OAuthConstants.VERIFIER_INVALID);
}

I suppose changing org.apache.cxf.rs.security.oauth.client.OAuthClientUtils.getAccessToken() from:

Map<String, String> parameters = new HashMap<String, String>();
parameters.put(OAuth.OAUTH_CONSUMER_KEY, consumer.getKey());
parameters.put(OAuth.OAUTH_TOKEN, requestToken.getToken());
parameters.put(OAuth.OAUTH_VERIFIER, verifier);
parameters.put(OAuth.OAUTH_SIGNATURE_METHOD, "HMAC-SHA1");

to

Map<String, String> parameters = new HashMap<String, String>();
parameters.put(OAuth.OAUTH_CONSUMER_KEY, consumer.getKey());
parameters.put(OAuth.OAUTH_TOKEN, requestToken.getToken());
if (null!=verifier) parameters.put(OAuth.OAUTH_VERIFIER, verifier);
parameters.put(OAuth.OAUTH_SIGNATURE_METHOD, "HMAC-SHA1");

would solve the problem because the oauth_verifier parameter wouldn't be sent

  was:
After the preauthorized request token has been obtained, if we request the access token using org.apache.cxf.rs.security.oauth.client.OAuthClientUtils.getAccessToken() providing a null value for verifier, the following error occurs:

org.apache.cxf.rs.security.oauth.provider.OAuthServiceException: Status : 401
Headers : 
WWW-Authenticate : OAuth realm="null", oauth_problem="verifier_invalid"
Date : Wed, 02 May 2012 13:07:58 GMT
Content-Length : 16
Content-Type : application/x-www-form-urlencoded
Server : Apache-Coyote/1.1

	at org.apache.cxf.rs.security.oauth.client.OAuthClientUtils.getToken(OAuthClientUtils.java:191)
	at org.apache.cxf.rs.security.oauth.client.OAuthClientUtils.getAccessToken(OAuthClientUtils.java:112)
	
 
As you can see, the request OAuth header sent includes an empty oauth_verifier parameter:
Authorization=[OAuth oauth_signature_method="HMAC-SHA1", oauth_consumer_key="9ab45d4a483b10719b72c73fff513342aa814a9", oauth_token="afb0c0d63d948872aa4cfa07b75f6788e4a2a98", oauth_verifier="", oauth_timestamp="1335964079", oauth_nonce="1335964079434845000", oauth_version="1.0", oauth_signature="4drUvMJ4pJm25QJkKIb6bSwKnio%3D"]

So, when processing the message at server side (inside AccessTokenHandler class) a non-null verifier parameter is obtained and its validation always fails:

String oauthVerifier = oAuthMessage.getParameter(OAuth.OAUTH_VERIFIER);
if (oauthVerifier == null) {
    if (requestToken.getSubject() != null && requestToken.isPreAuthorized()) {
        LOG.fine("Preauthorized request token");
    } else {
        throw new OAuthProblemException(OAuthConstants.VERIFIER_INVALID);
    }
} else if (!oauthVerifier.equals(requestToken.getVerifier())) {
    throw new OAuthProblemException(OAuthConstants.VERIFIER_INVALID);
}

I suppose changing org.apache.cxf.rs.security.oauth.client.OAuthClientUtils.getAccessToken() from:

Map<String, String> parameters = new HashMap<String, String>();
parameters.put(OAuth.OAUTH_CONSUMER_KEY, consumer.getKey());
parameters.put(OAuth.OAUTH_TOKEN, requestToken.getToken());
parameters.put(OAuth.OAUTH_VERIFIER, verifier);
parameters.put(OAuth.OAUTH_SIGNATURE_METHOD, "HMAC-SHA1");

to

Map<String, String> parameters = new HashMap<String, String>();
parameters.put(OAuth.OAUTH_CONSUMER_KEY, consumer.getKey());
parameters.put(OAuth.OAUTH_TOKEN, requestToken.getToken());
if (null!=verifier) parameters.put(OAuth.OAUTH_VERIFIER, verifier);
parameters.put(OAuth.OAUTH_SIGNATURE_METHOD, "HMAC-SHA1");

would solve the problem because the oauth_verifier parameter wouldn't be sent

    
> OAuth 2-leg getAccessToken Error 
> ---------------------------------
>
>                 Key: CXF-4283
>                 URL: https://issues.apache.org/jira/browse/CXF-4283
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 2.6
>            Reporter: Jordi Torrente
>              Labels: oauth
>
> After the preauthorized request token has been obtained, if we request the access token using org.apache.cxf.rs.security.oauth.client.OAuthClientUtils.getAccessToken() providing a null value for verifier, the following error occurs:
> org.apache.cxf.rs.security.oauth.provider.OAuthServiceException: Status : 401
> Headers : 
> WWW-Authenticate : OAuth realm="null", oauth_problem="verifier_invalid"
> Date : Wed, 02 May 2012 13:07:58 GMT
> Content-Length : 16
> Content-Type : application/x-www-form-urlencoded
> Server : Apache-Coyote/1.1
> 	at org.apache.cxf.rs.security.oauth.client.OAuthClientUtils.getToken(OAuthClientUtils.java:191)
> 	at org.apache.cxf.rs.security.oauth.client.OAuthClientUtils.getAccessToken(OAuthClientUtils.java:112)
> 	
>  
> As you can see, the request OAuth header sent includes an empty oauth_verifier parameter:
> Authorization=[OAuth oauth_signature_method="HMAC-SHA1", oauth_consumer_key="9ab45d4a483b10719b72c73fff513342aa814a9", oauth_token="afb0c0d63d948872aa4cfa07b75f6788e4a2a98", oauth_verifier="", oauth_timestamp="1335964079", oauth_nonce="1335964079434845000", oauth_version="1.0", oauth_signature="4drUvMJ4pJm25QJkKIb6bSwKnio%3D"]
> So, when processing the message at server side (inside AccessTokenHandler class) a non-null verifier parameter is obtained and its validation always fails:
> String oauthVerifier = oAuthMessage.getParameter(OAuth.OAUTH_VERIFIER);
> if (oauthVerifier == null) {
>     if (requestToken.getSubject() != null && requestToken.isPreAuthorized()) {
>         LOG.fine("Preauthorized request token");
>     } else {
>         throw new OAuthProblemException(OAuthConstants.VERIFIER_INVALID);
>     }
> } else if (!oauthVerifier.equals(requestToken.getVerifier())) {
>     throw new OAuthProblemException(OAuthConstants.VERIFIER_INVALID);
> }
> I suppose changing org.apache.cxf.rs.security.oauth.client.OAuthClientUtils.getAccessToken() from:
> Map<String, String> parameters = new HashMap<String, String>();
> parameters.put(OAuth.OAUTH_CONSUMER_KEY, consumer.getKey());
> parameters.put(OAuth.OAUTH_TOKEN, requestToken.getToken());
> parameters.put(OAuth.OAUTH_VERIFIER, verifier);
> parameters.put(OAuth.OAUTH_SIGNATURE_METHOD, "HMAC-SHA1");
> to
> Map<String, String> parameters = new HashMap<String, String>();
> parameters.put(OAuth.OAUTH_CONSUMER_KEY, consumer.getKey());
> parameters.put(OAuth.OAUTH_TOKEN, requestToken.getToken());
> if (null!=verifier) parameters.put(OAuth.OAUTH_VERIFIER, verifier);
> parameters.put(OAuth.OAUTH_SIGNATURE_METHOD, "HMAC-SHA1");
> would solve the problem because the oauth_verifier parameter wouldn't be sent

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira