You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by Loic Dachary <lo...@dachary.org> on 2009/07/06 15:24:10 UTC
OAuth.php backward compatibility
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I've hit a problem that I managed to solve but kept me thinking. I
copied http://graargh.returnstrue.com/buh/OAuth.php.txt and tried to
modify http://graargh.returnstrue.com/buh/fetchme.php.txt so that it
works with http://shindig.opensocial.dachary.org/. After some
debugging I realized that the OAuth.php version embedded in shindig
was different. It had a different algorithm to implement the function
public function get_signable_parameters() sorting the arguments using
uksort($params, 'strnatcmp'); instead of ksort, leading to different
results, hence a different base string for signatures. I've upgraded
my OAuth.php version and this problem is fixed.
Is there a central place where I can read a list of such backward
incompatibilities ? Or is this an anomaly that is explained because
someone tampered with OAuth.php as found at
http://graargh.returnstrue.com/buh/OAuth.php.txt ?
Cheers
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkpR+voACgkQ8dLMyEl6F20f/gCeM4LhcYmoky8Xbq+7eu6kKEcZ
wzUAn2V7LHyA+mt2Kz1HraRZlEzOVQW6
=sBbf
-----END PGP SIGNATURE-----
Re: OAuth.php backward compatibility
Posted by Loic Dachary <lo...@dachary.org>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chris Chabot wrote:
> I'm not to familiar with
> http://graargh.returnstrue.com/buh/fetchme.php.txt but I've got the
> suspicion that might be quite old code, when I compare the
> get_signable_parameters() functions in the OAuth file we use all
> over the place in php shindig / partuza / php opensocial client lib
> and http://graargh.returnstrue.com/buh/OAuth.php.txt Well as you
> said, they really don't do the same thing. So I'm presuming that's
> either an alternative implementation, or just very out of date.
>
> Luckily we do refer to the right OAuth lib in
> http://wiki.opensocial.org/index.php?title=Validating_Signed_Requests
> (which is a much more reliable source of information).
>
> The only major change that's happened in how we use OAuth in
> OpenSocial that I'm aware of is that we've added a body signature
> to the requests to the RPC/REST interface, see
> http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/4/spec.htmlfor
> details on that (but the opensocial client libraries already all
> support this, so normally you don't have to do any work for this to
> just-work)
Thanks for this reassuring message ;-)
Cheers
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkpSKFIACgkQ8dLMyEl6F21JiQCfR3rT9FaaD/h5VFgtOeqELuZE
OPgAoLxH5QqRWJdme5hBYGuiWhtlvQvF
=AUBL
-----END PGP SIGNATURE-----
Re: OAuth.php backward compatibility
Posted by Chris Chabot <ch...@google.com>.
I'm not to familiar with http://graargh.returnstrue.com/buh/fetchme.php.txt
but I've got the suspicion that might be quite old code, when I compare the
get_signable_parameters() functions in the OAuth file we use all over the
place in php shindig / partuza / php opensocial client lib and
http://graargh.returnstrue.com/buh/OAuth.php.txt Well as you said, they
really don't do the same thing. So I'm presuming that's either an
alternative implementation, or just very out of date.
Luckily we do refer to the right OAuth lib in
http://wiki.opensocial.org/index.php?title=Validating_Signed_Requests (which
is a much more reliable source of information).
The only major change that's happened in how we use OAuth in OpenSocial that
I'm aware of is that we've added a body signature to the requests to the
RPC/REST interface, see
http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/4/spec.htmlfor
details on that (but the opensocial client libraries already all
support
this, so normally you don't have to do any work for this to just-work)
-- Chris
On Mon, Jul 6, 2009 at 3:24 PM, Loic Dachary <lo...@dachary.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> I've hit a problem that I managed to solve but kept me thinking. I
> copied http://graargh.returnstrue.com/buh/OAuth.php.txt and tried to
> modify http://graargh.returnstrue.com/buh/fetchme.php.txt so that it
> works with http://shindig.opensocial.dachary.org/. After some
> debugging I realized that the OAuth.php version embedded in shindig
> was different. It had a different algorithm to implement the function
> public function get_signable_parameters() sorting the arguments using
> uksort($params, 'strnatcmp'); instead of ksort, leading to different
> results, hence a different base string for signatures. I've upgraded
> my OAuth.php version and this problem is fixed.
>
> Is there a central place where I can read a list of such backward
> incompatibilities ? Or is this an anomaly that is explained because
> someone tampered with OAuth.php as found at
> http://graargh.returnstrue.com/buh/OAuth.php.txt ?
>
> Cheers
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkpR+voACgkQ8dLMyEl6F20f/gCeM4LhcYmoky8Xbq+7eu6kKEcZ
> wzUAn2V7LHyA+mt2Kz1HraRZlEzOVQW6
> =sBbf
> -----END PGP SIGNATURE-----
>
>