You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by icoleman <ib...@gmail.com> on 2014/01/31 19:25:30 UTC
OAuth 1.0 And Signature With Query Params
I have a problem that has been plaguing me for several days now and was
hoping someone had run across it before.
I have a provider implemented with Spring 3 & CXF 2.6.11. I have a consumer
that's a standalone Java application making requests to the provider. The
OAuth 1.0 Authorization headers on the client are being generated by
OAuthClientUtils.createAuthorizationHeader(consumer, token, httpMethod,
uri);
So far so good. Everything works fine so long as there are no query
parameters on the URL.
So if the request URL is "http://foo.com/api/83382" then all is well.
If the request URL is "http://foo.com/api/83382?scope=all" the signature
validation on the provider fails. After tracing through
SimpleOAuthValidator.validateSignature(..) I found that the Authorization
signature on the client is using the full URL with query parameters to
generate the signature, but when SimpleOAuthValidator generates the base
string for signature validation, the query parameters are not used (only the
URI).
I was able to get the SimpleOAuthValidator to validate the signature created
by OAuthClientUtils by overriding SimpleOAuthValidator, and reassembling the
"original" URI. But to do this I had to do some voodoo to get
HttpServletRequest.getRequestURL() and append the
httpServletRequest.getQueryString() to it.
With this hack, the signature created by OAuthClientUtils will now be
validated by SimpleOAuthValidator. Obviously, that can't possibly be
"normal", right?
To make matters worse, I've had no luck whatsoever in getting a generic REST
client (e.g. REST Console for Chrome) to successfully authorize a request
against the provider. It fails with a oauth_problem: signature_invalid every
single time.
I'm using CXF 2.6.11 (but have used 2.7.8 with similar results).
Any help would be sincerely appreciated!
Thanks,
--Ian
--
View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-And-Signature-With-Query-Params-tp5739357.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: OAuth 1.0 And Signature With Query Params
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi Ian
On 03/02/14 14:34, icoleman wrote:
> Hi Sergey,
>
> Interesting... In that case, perhaps the issue is
> OAuthClientUtils.createAuthorizationHeader(consumer, token, httpMethod,
>> uri)... That method generates the signature based on a URI which includes
> the query parameters... As an initial workaround I was stripping the query
> params from the URI for the purpose of signature generation. I did this via
> a PhaseInterceptor as follows:
>
> public class OAuthHeaderInterceptor extends
> AbstractPhaseInterceptor<Message>
> {
> private KioskOAuthCredentials credentials;
> public OAuthHeaderInterceptor(final KioskOAuthCredentials credentials)
> {
> super(Phase.POST_LOGICAL);
> this.credentials = credentials;
> }
>
> @Override
> public void handleMessage(Message message) throws Fault
> {
> String uri = (String)message.get(Message.ENDPOINT_ADDRESS);
> // Strip any query params for authentication purposes--otherwise
> remote auth fails...
> if (uri.contains("?"))
> uri = uri.substring(0,uri.indexOf("?"));
>
> String httpMethod =
> (String)message.get(Message.HTTP_REQUEST_METHOD);
> OAuthClientUtils.Consumer consumer = new
> OAuthClientUtils.Consumer(credentials.getConsumerKey(),credentials.getConsumerSecret());
> OAuthClientUtils.Token token = new
> OAuthClientUtils.Token(credentials.getTokenKey(),credentials.getTokenSecret());
> String authHeader =
> OAuthClientUtils.createAuthorizationHeader(consumer,token,httpMethod,uri);
> Map<String, List<String>> headerMap = (Map<String,
> List<String>>)message.get(Message.PROTOCOL_HEADERS);
> headerMap.put("Authorization", Arrays.asList(authHeader));
> }
> }
>
> That seemed to work as well, but I was worried about non-standard behavior.
> Either way it seems like OAuthClientUtils.createAuthorizationHeader may
> need tweaking since the current behavior is to include the query param
> substring.
>
Why do you think it does ? I can see it delegates OAuth 1.0 core library
which actually strips a query component if any from the base URL and
adds that query as parameters.
Cheers, Sergey
> Best,
>
> Ian
>
>
> On Mon, Feb 3, 2014 at 8:33 AM, Sergey Beryozkin [via CXF] <
> ml-node+s547215n5739390h67@n5.nabble.com> wrote:
>
>> Hi
>>
>> I'm just looking at the code and I'm wondering if the client you are
>> referring to in the original email calculates the signature correctly or
>> not. Is it RESTConsole ?
>>
>> Basically, the signature string should have the parameters (including
>> the URI query parameters) separated from the base URI.
>>
>> This page shows it quite well:
>>
>> https://dev.twitter.com/docs/auth/creating-signature
>>
>> I'm coming to the conclusion the problem is with the 3rd party client code
>>
>> Thanks, Sergey
>>
>>
>> On 31/01/14 18:50, icoleman wrote:
>>
>>> Hi Sergey,
>>>
>>> Thanks for taking the time to respond.
>>>
>>> I was able to capture the raw headers as they passed through Fiddler (a
>>> debugging proxy) and the successful authorization request looks like:
>>>
>>>
>>>
>>> While the unsuccessful one generated by REST Console:
>>>
>>>
>>>
>>> I did try to update the content type and accept headers for the failed
>>> request to read...
>>>
>>>
>>>
>>> ...but that didn't seem to make any difference either.
>>>
>>>
>>>
>>> --
>>> View this message in context:
>> http://cxf.547215.n5.nabble.com/OAuth-1-0-And-Signature-With-Query-Params-tp5739357p5739361.html
>>
>>> Sent from the cxf-user mailing list archive at Nabble.com.
>>>
>>
>>
>> --
>> Sergey Beryozkin
>>
>> Talend Community Coders
>> http://coders.talend.com/
>>
>> Blog: http://sberyozkin.blogspot.com
>>
>>
>> ------------------------------
>> If you reply to this email, your message will be added to the discussion
>> below:
>>
>> http://cxf.547215.n5.nabble.com/OAuth-1-0-And-Signature-With-Query-Params-tp5739357p5739390.html
>> To unsubscribe from OAuth 1.0 And Signature With Query Params, click here<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5739357&code=aWJjb2xlbWFuQGdtYWlsLmNvbXw1NzM5MzU3fC0xMTM1MjM4NTc3>
>> .
>> NAML<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>>
>
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-And-Signature-With-Query-Params-tp5739357p5739396.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: OAuth 1.0 And Signature With Query Params
Posted by icoleman <ib...@gmail.com>.
Hi Sergey,
Interesting... In that case, perhaps the issue is
OAuthClientUtils.createAuthorizationHeader(consumer, token, httpMethod,
> uri)... That method generates the signature based on a URI which includes
the query parameters... As an initial workaround I was stripping the query
params from the URI for the purpose of signature generation. I did this via
a PhaseInterceptor as follows:
public class OAuthHeaderInterceptor extends
AbstractPhaseInterceptor<Message>
{
private KioskOAuthCredentials credentials;
public OAuthHeaderInterceptor(final KioskOAuthCredentials credentials)
{
super(Phase.POST_LOGICAL);
this.credentials = credentials;
}
@Override
public void handleMessage(Message message) throws Fault
{
String uri = (String)message.get(Message.ENDPOINT_ADDRESS);
// Strip any query params for authentication purposes--otherwise
remote auth fails...
if (uri.contains("?"))
uri = uri.substring(0,uri.indexOf("?"));
String httpMethod =
(String)message.get(Message.HTTP_REQUEST_METHOD);
OAuthClientUtils.Consumer consumer = new
OAuthClientUtils.Consumer(credentials.getConsumerKey(),credentials.getConsumerSecret());
OAuthClientUtils.Token token = new
OAuthClientUtils.Token(credentials.getTokenKey(),credentials.getTokenSecret());
String authHeader =
OAuthClientUtils.createAuthorizationHeader(consumer,token,httpMethod,uri);
Map<String, List<String>> headerMap = (Map<String,
List<String>>)message.get(Message.PROTOCOL_HEADERS);
headerMap.put("Authorization", Arrays.asList(authHeader));
}
}
That seemed to work as well, but I was worried about non-standard behavior.
Either way it seems like OAuthClientUtils.createAuthorizationHeader may
need tweaking since the current behavior is to include the query param
substring.
Best,
Ian
On Mon, Feb 3, 2014 at 8:33 AM, Sergey Beryozkin [via CXF] <
ml-node+s547215n5739390h67@n5.nabble.com> wrote:
> Hi
>
> I'm just looking at the code and I'm wondering if the client you are
> referring to in the original email calculates the signature correctly or
> not. Is it RESTConsole ?
>
> Basically, the signature string should have the parameters (including
> the URI query parameters) separated from the base URI.
>
> This page shows it quite well:
>
> https://dev.twitter.com/docs/auth/creating-signature
>
> I'm coming to the conclusion the problem is with the 3rd party client code
>
> Thanks, Sergey
>
>
> On 31/01/14 18:50, icoleman wrote:
>
> > Hi Sergey,
> >
> > Thanks for taking the time to respond.
> >
> > I was able to capture the raw headers as they passed through Fiddler (a
> > debugging proxy) and the successful authorization request looks like:
> >
> >
> >
> > While the unsuccessful one generated by REST Console:
> >
> >
> >
> > I did try to update the content type and accept headers for the failed
> > request to read...
> >
> >
> >
> > ...but that didn't seem to make any difference either.
> >
> >
> >
> > --
> > View this message in context:
> http://cxf.547215.n5.nabble.com/OAuth-1-0-And-Signature-With-Query-Params-tp5739357p5739361.html
>
> > Sent from the cxf-user mailing list archive at Nabble.com.
> >
>
>
> --
> Sergey Beryozkin
>
> Talend Community Coders
> http://coders.talend.com/
>
> Blog: http://sberyozkin.blogspot.com
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://cxf.547215.n5.nabble.com/OAuth-1-0-And-Signature-With-Query-Params-tp5739357p5739390.html
> To unsubscribe from OAuth 1.0 And Signature With Query Params, click here<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5739357&code=aWJjb2xlbWFuQGdtYWlsLmNvbXw1NzM5MzU3fC0xMTM1MjM4NTc3>
> .
> NAML<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-And-Signature-With-Query-Params-tp5739357p5739396.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: OAuth 1.0 And Signature With Query Params
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
I'm just looking at the code and I'm wondering if the client you are
referring to in the original email calculates the signature correctly or
not. Is it RESTConsole ?
Basically, the signature string should have the parameters (including
the URI query parameters) separated from the base URI.
This page shows it quite well:
https://dev.twitter.com/docs/auth/creating-signature
I'm coming to the conclusion the problem is with the 3rd party client code
Thanks, Sergey
On 31/01/14 18:50, icoleman wrote:
> Hi Sergey,
>
> Thanks for taking the time to respond.
>
> I was able to capture the raw headers as they passed through Fiddler (a
> debugging proxy) and the successful authorization request looks like:
>
>
>
> While the unsuccessful one generated by REST Console:
>
>
>
> I did try to update the content type and accept headers for the failed
> request to read...
>
>
>
> ...but that didn't seem to make any difference either.
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-And-Signature-With-Query-Params-tp5739357p5739361.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: OAuth 1.0 And Signature With Query Params
Posted by icoleman <ib...@gmail.com>.
Hi Sergey,
Thanks for taking the time to respond.
I was able to capture the raw headers as they passed through Fiddler (a
debugging proxy) and the successful authorization request looks like:
While the unsuccessful one generated by REST Console:
I did try to update the content type and accept headers for the failed
request to read...
...but that didn't seem to make any difference either.
--
View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-And-Signature-With-Query-Params-tp5739357p5739361.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: OAuth 1.0 And Signature With Query Params
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
On 31/01/14 18:25, icoleman wrote:
> I have a problem that has been plaguing me for several days now and was
> hoping someone had run across it before.
>
> I have a provider implemented with Spring 3 & CXF 2.6.11. I have a consumer
> that's a standalone Java application making requests to the provider. The
> OAuth 1.0 Authorization headers on the client are being generated by
> OAuthClientUtils.createAuthorizationHeader(consumer, token, httpMethod,
> uri);
>
> So far so good. Everything works fine so long as there are no query
> parameters on the URL.
>
> So if the request URL is "http://foo.com/api/83382" then all is well.
>
> If the request URL is "http://foo.com/api/83382?scope=all" the signature
> validation on the provider fails. After tracing through
> SimpleOAuthValidator.validateSignature(..) I found that the Authorization
> signature on the client is using the full URL with query parameters to
> generate the signature, but when SimpleOAuthValidator generates the base
> string for signature validation, the query parameters are not used (only the
> URI).
>
> I was able to get the SimpleOAuthValidator to validate the signature created
> by OAuthClientUtils by overriding SimpleOAuthValidator, and reassembling the
> "original" URI. But to do this I had to do some voodoo to get
> HttpServletRequest.getRequestURL() and append the
> httpServletRequest.getQueryString() to it.
>
> With this hack, the signature created by OAuthClientUtils will now be
> validated by SimpleOAuthValidator. Obviously, that can't possibly be
> "normal", right?
>
Sure, this needs to be fixed - I'll look into it next week
> To make matters worse, I've had no luck whatsoever in getting a generic REST
> client (e.g. REST Console for Chrome) to successfully authorize a request
> against the provider. It fails with a oauth_problem: signature_invalid every
> single time.
>
Can you give me a favor and experiment further with it ? Can we expect
the console affecting the signature somehow ? What about curl ?
Cheers, Sergey
> I'm using CXF 2.6.11 (but have used 2.7.8 with similar results).
>
> Any help would be sincerely appreciated!
>
> Thanks,
>
> --Ian
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-And-Signature-With-Query-Params-tp5739357.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com