I'm busy with implementing reverse authentication on iOS. I'm making it on the base of this example and twitter documentation.
I'm trying to figure out whether the consumer secret is mandatory to perform STEP 1 from the docs (obtaining a special request token). The docs say:
As an example, consider a request with the following values signed with the consumer key JP3PyvG67rXRsnayOJOcQ and consmer secret ydC2yUbFaScbSlykO0PmrMjXFeLraSi3Q2HfTOlGxQM.
Seems like the secret is needed. But then it lists the parameters for the request:
oauth_consumer_key JP3PyvG67rXRsnayOJOcQ
oauth_nonce 1B7D865D-9E15-4ADD-8165-EF90D7A7D3D2
oauth_signature_method HMAC-SHA1
oauth_timestamp 1322697052
oauth_version 1.0
x_auth_mode reverse_auth
and there's no secret. and also no oath_signature. It then confirms my suspicion by the following:
These parameters should result in a signature base string that looks like this:
POST&https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&
oauth_consumer_key%3DJP3PyvG67rXRsnayOJOcQ%26
oauth_nonce%3D1B7D865D-9E15-4ADD-8165-EF90D7A7D3D2%26
oauth_signature_method%3DHMAC-SHA1%26
oauth_timestamp%3D1322697052%26
oauth_version%3D1.0%26
x_auth_mode%3Dreverse_auth
again, no secret and no oath_signature parameter. Then i look at the example app i have taken from the GitHub and see that it actually makes use of the secret. It makes some magic, mixes the secret with different strings, encrypts it and makes it into oauth_signature parameter which goes into the authorization header for its request. The complete authorisation header looks like this:
OAuth oauth_timestamp="1405695110", oauth_nonce="0C38A128-42B1-41D1-B31D-EBEBE8971470", oauth_version="1.0", oauth_consumer_key="u97hVQZtAcRbLWHv5CkONbaJ8", oauth_signature_method="HMAC-SHA1", oauth_signature="iuaqaN1MvFHyKMa95LFWXCxUfDM%3D"
The only difference between this and Twitter doc's example is that here is oauth_signature parameter (made from the secret) present. And the example works all right. I tried removing the secret when making the signature and received an error from Twitter.
So I am confused. The docs don't clearly state that the secret is required whereas the example uses it as its important part. So is it mandatory? And if not can you please explain how do I build a request without the secret?
Related
I have been toying around with the twitter API over the last few days, but seem to be stuck at requesting a "request token". (flow A)
Over at the twitter api, I should be hitting the following end point (https://api.twitter.com/oauth/request_token) and on a successful request this should net me an oauth_token, oauth_token_secret and oauth_callback_confirmed (should match what I pass). I attempted to just use my private key, but this of course is failing. Is my understanding of how to generate this request wrong?
I believe my issue is the way I am generating the oauth_signature. Reading the documentation at twitter, everything seems straight forward until I need to generate signing key documented Here. It states that the signing key should be Consumer Secret & OAuth token secret, but to me this is a circular reference. The response, for this request, should contain the oauth_token_secret.
With this request an empty oauth_token_secret is expected. Signing key should be consumer_secret&, the trailing & must be included.
Relevant quote from https://www.rfc-editor.org/rfc/rfc5849#section-3.4.2:
An "&" character (ASCII code 38), which MUST be included
even when either secret is empty.
As part of the OpenID Connect (OAuth2 for Login), my application is supposed to request an access token, given a one-time authorization code, via the endpoint https://www.googleapis.com/oauth2/v3/token. According to documentation, this request needs 5 parameters passed to it, client_id among them. That is exactly what my application does, using the Perl module Net::OAuth2.
Everything has been working fine for several months, but today I was notified that it stopped working. No updates were made to the application code nor the libraries used by it.
The message my application now receives from the server when calling the token endpoint is this, in a 400 error response:
OAuth 2 parameters can only have a single value: client_id
A Google search suggests nobody has ever seen this message before, or lived to tell the tale. There doesn't seem to be a general issue with Google's OpenID Connect (other services based on it are working flawlessly), and the imminent shutdown of the old login protocol doesn't seem relevant.
More testing: removing all parameters except client_id causes this error message:
Required parameter is missing: grant_type
Supplying only client_id and grant_type produces the original error message again.
Does anyone have an idea what's going on here?
Google changed this behavior few days ago, so any OAuth2 library using Basic Auth headers AND body request parameters will start to see messages like
OAuth 2 parameters can only have a single value: client_id
or
OAuth 2 parameters can only have a single value: client_secret
So, you must now do NOT use both (the Auth headers and body request parameters) at the same time to send credentials to Google.
And according RFC 6749, the preferable way to send credentials is through Auth headers (thanks #JanKrüger for alert me about this).
Got the same error. It seems the problem is that NET::OAuth2 sets the authorization header when exchanging authorization code for access token. If you remove this header everything works fine.
Check the get_access_token method in Net::OAuth2::Profile::WebServer module. The authorization header includes client_id:client_secret base64-encoded string. Apparently Google now treats this duplication as an error.
The right way of fixing this is to set the secrets_in_params parameter when creating Net::OAuth2::Profile::WebServer object. Look in the Net::OAuth2::Profile documentation for more details.
I am having some issues with MapMyFitness API. MapMyFitness uses OAuth 1.0
I am able to successfully get a temporary Authorization token/temporary secret Token combination from calling 3.1/oauth/request_token
After that, I am able to successfully direct the user to the Authorization page and get a redirect callback with a authorization verifier.
After that, I am, unfortunately, getting errors when trying to call 3.1/oauth/access_token. (HTTP error 401)
First of all, MMF documentation (http://api.mapmyfitness.com/3.1/oauth/access_token?doc) states: Exchange a request token and an authorization verifier for an access token. However, the list of input arguments in the documentation contains no mention of oauth_verifier. Should oauth_verifier that I have received with the redirect callback be passed to access_token call as an argument?
Secondly, it appears to me that perhaps I am not creating the signature correctly. For the 3.1/oauth/request_token call the key to generate the signature is 'XXX&' where XXX is the Consumer Secret Key assigned to my app by MapMyFitness. This works fine. For the 3.1/oauth/access_token call, I am using 'XXX&YYY' as a signature key where XXX is the Consumer Secret Key assigned to my app by MapMyFitness and YYY is the temporary Secret Token returned to me by the server during the 3.1/oauth/request_token call. Is that correct?
I would greatly appreciate any suggestions.
OK, I got it working. First of all, oauth_verifier DOES need to be included as part of parameters. For some reason, Map My Fitness does not include it in its list of required parameters, but it has to be there. Secondly - very important - according to OAuth 1.0 documentation, all parameters need to be in alphabetical order when creating the signature - otherwise there will be a signature mismatch and you'll get HTTP 401 error. Once I sorted my parameters in alphabetical order, I was able to exchange temporary MapMyFitness credentials to permanent ones.
I followed the tutorial on https://dev.twitter.com/docs/auth/implementing-sign-twitter to use OAuth on my homepage. Everything worked and after the last step I have an oauth_token (after converting it to an access token) and an oauth_token_secret. Now I want to post a new status on twitter. So I did everything on this page https://dev.twitter.com/docs/auth/authorizing-request which is just a post request to /1/statuses/update.json. On that page nothing is said about the oauth_token_secret, so I haven't used it in my request and just have put the oauth_token in it. After submitting the post request twitter gives me the status code 401 Unauthorized. Why that? Do I have to use the oauth_token_secret somewhere?
The token secret is used to hash the signature base. Something like a password. You don't send the password, you use it to compute a secure hash of the thing the service sent to you. You send that secure hash, then the service checks that secure hash against the request you sent. If they match, you're authorized.
The gory details are described in the OAuth spec, RFC 5849.
Twitter uses OAuth1.0a, but is mostly consistent with that spec.
here's the relevant bit:
https://www.rfc-editor.org/rfc/rfc5849#section-3.4.2
Very quick question for FreshBooks OAuth. When requesting a Request Token you need to provide (among others) the oauth_signature method.
Is the signature the consumer key and the consumer secret separated by an ampersand? e.g.
_consumer_key_%26_consumer_secret_
where _consumer_key_ is the consumer key. _consumer_secret_ is the consumer secret and %26 is a url encoded ampersand.
Simple answer is I was using the request headers instead of the Authorization header.