You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by "Chris Chabot (JIRA)" <ji...@apache.org> on 2008/07/29 20:03:32 UTC
[jira] Commented: (SHINDIG-447) makeRequest - Signed request cannot
be verified because of base_string inconsitency
[ https://issues.apache.org/jira/browse/SHINDIG-447?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12617885#action_12617885 ]
Chris Chabot commented on SHINDIG-447:
--------------------------------------
Hi Karsten,
I was trying to check out your patch but i'm getting a lot of mallformed errors.
I don't suppose you could re-create it, preferenably diffed against an up to date checkout?
Thanks in advance!
> makeRequest - Signed request cannot be verified because of base_string inconsitency
> -----------------------------------------------------------------------------------
>
> Key: SHINDIG-447
> URL: https://issues.apache.org/jira/browse/SHINDIG-447
> Project: Shindig
> Issue Type: Bug
> Components: Common Components (PHP)
> Reporter: Karsten Beyer
> Attachments: fix-issue-447.patch
>
>
> When doing a signed request with makeRequest, the generated signature cannot be verified, because different base_strings are used.
> I used the method described for Orkut (http://code.google.com/p/opensocial-resources/wiki/OrkutValidatingSignedRequests) to verify the signature on the requested page. When logging the base_string on both sides, i detected, that the signOwner and signViewer parameters are used for the base_string, but are not part of the request that the proxy does to the target page:
> base_string build by shindig:
> GET&http%3A%2F%2Fopensocialapps.kbsilver%2Flog.php&container%3Dazubister%26oauth_consumer_key%3Dnot%2520implemented%26oauth_nonce%3D68d2fedb1b405f426e0b5d6aa90893bb%26oauth_signature_method%3DRSA-SHA1%26oauth_timestamp%3D1215874245%26oauth_token%3D%26opensocial_app_id%3D25%26opensocial_owner_id%3DQ3czQ1B2SytHbVU0ZXJEOXRwOTJHdz09%26opensocial_viewer_id%3DQ3czQ1B2SytHbVU0ZXJEOXRwOTJHdz09%26signOwner%3Dtrue%26signViewer%3Dtrue%26synd%3Dazubister%26xoauth_signature_publickey%3Dhttp%253A%252F%252Fshindig.kbsilver%252Fpublic.crt
> base_string build at the requested page:
> GET&http%3A%2F%2Fopensocialapps.kbsilver%2Flog.php&container%3Dazubister%26oauth_consumer_key%3Dnot%2520implemented%26oauth_nonce%3D68d2fedb1b405f426e0b5d6aa90893bb%26oauth_signature_method%3DRSA-SHA1%26oauth_timestamp%3D1215874245%26oauth_token%3D%26opensocial_app_id%3D25%26opensocial_owner_id%3DQ3czQ1B2SytHbVU0ZXJEOXRwOTJHdz09%26opensocial_viewer_id%3DQ3czQ1B2SytHbVU0ZXJEOXRwOTJHdz09%26synd%3Dazubister%26xoauth_signature_publickey%3Dhttp%253A%252F%252Fshindig.kbsilver%252Fpublic.crt
> Analyzing the $_GET parameters i get at the target leads to the same result. I do not know enough about the OAUTH logic in shindig, but i think either the signOwner and signViewer parameters need to be ignored when building the base_string for the signature or they need to be part of the request to the target page.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.