I've successfully connected to twitter streaming API with the track parameter. I'm using OAuth Authentication and have written my own classes (so not using any libraries).
I've just added the location parameter. I have added this to the oauth_signature_base_string, in alphabetical order as stated in the docs. It's also encoded in this string as described in the docs.
I then add it along with the track parameter to the uri, but not encoded. Again I believe this is how the docs say to do it.
https://stream.twitter.com/1.1/statuses/filter.json?stall_warnings=true&track=silverstone&locations=-180,-90,180,90
The problem I'm encountering is that the addition of the location param to the authorization string causes the authentication to fail (i.e. 401 Unauthorized).
Anyone any idea on how the location parameter should be added to the header as this is where I think I'm going wrong (i.e. should the value of the location be encoded?)
Cheers.
Tim
It turned out in the end that the header was incorrect due to the using System.Uri.EscapeUriStringand not System.Uri.EscapeDataString
Always use System.Uri.EscapeDataString to encode any string for the twitter OAuth api.
Related
I'm trying to authorize my standalone application. But after I click "Allow" it always redirects to http://oauth.vk.com/error?err=2 and gives this as response body:
{"error":"invalid_request", "error_description":"Security Error"}
Here's the request URL (I do have correct client_id):
https://oauth.vk.com/authorize?client_id=...&scope=messages,offline&redirect_uri=https://oauth.vk.com/blank.html&display=page&v=5.37&response_type=token
It seems that I've tried everything:
Turning application on and off
Passing scope as bit mask
URI encoding some parameters to have correct URL
and so on
After hour of searches I've found this.
So, it means that user has an old session and must re-login in browser.
Space in state parameter causes this.
OAuth 2 RFC, sections 4.1.1 on authorization request and 4.1.2 on authorization response, recommends using state parameter to maintain state in authorization code flow, particularly to prevent CSRF.
When I set this field to CSRFTOKEN123 http://my.site/next/url, I got this error. Replacing (space) with : to get CSRFTOKEN123:http://my.site/next/url helps.
By the way, I couldn't find any mention of state parameter on VK documentation website but VK OAuth 2 authorization system actually supports it. It couldn't be called OAuth 2 otherwise. So I find it legit to use state parameter.
The topic https://vk.com/topic-17680044_30635058 mentioned by author is closed now, current discussion is https://vk.com/topic-1_24428376. There are number of questions on this. All in Russian.
I am trying to make a GET request with AFNetworking to facebook's graph api. For various reasons, I'd rather not use the facebook SDK's native objects and would prefer to make those requests via AFNetworking. However, I'm a bit new to the networking side of things and I am unsure how to include the access token along with my GET request. Can anyone point me in the right direction?
I've tried setting the http header field to include this:
Authentication : {my access token}
but that doesn't seem to be working.
You need to add access_token as a URL query parameter for GET requests. See the docs here.
This is a repost from the vimeo forum, but since nobody is answering over there, I try my luck here:
I have been trying for some hours now to get my head around the whole oAuth thing, but I don't seem to get it working. I want to retrieve thumbnails for private videos, using the advanced vimeo api. This is what I have right now:
$vimeo = new phpVimeo($consumer_key, $consumer_secret, $access_token, $access_token_secret);
$result = $vimeo->call('vimeo.videos.getThumbnailUrls', array('video_id ' => $video_id));
When I try it like this, I keep getting the error
"Fatal error: Uncaught exception 'VimeoAPIException' with message 'Invalid signature' ".
I'm absolutely positive that the keys and secrets are correct. Do I have to do more to make this thing work? Of course, it would be amazing to have an example where I just have to put in all my key data in and it works.
thanks in advance!
There are a couple of ways to help troubleshoot your signature errors. First I want to explain some terminology.
Api Endpoint - The api url you are requesting.
Client ID / Client Secret - A pair of tokens given to you when you create your Api Application
Request Token - A token generated while authorizing a user. This token can not be used to make api calls.
OAuth Token / Token Secret - A pair of tokens given to you when you send a user through your authorization workflow
Base String - A specifically formatted string that contains all the information relating to your API request.
OAuth Signature - A hashed token that represents the request you are making. This is generated using a base string, your client id and secret, and an optional oauth token and secret.
Troubleshooting
Try using the latest version of the official PHP library : https://github.com/vimeo/vimeo-php-lib.
If this works, there is an issue in your code. Continue to step 2.
If this does not work let Vimeo know. You do not need to continue these steps.
Use the Hueniverse interactive guide : http://hueniverse.com/oauth/guide/authentication/
Make a request and log every URL, header and parameter. Also include the Base String.
Click all the plus signs to expand the input forms and then fill in all of the appropriate data.
Ensure that the Hueniverse Base String matches your own generated Base String
If this matches, and the signature is still incorrect you are likely performing the hmac signature incorrectly. Check all of your tokens, feel free to contact Vimeo.
If the Base String does not match, make sure you are following the spec : https://www.rfc-editor.org/rfc/rfc5849#section-3.4.1
If all else fails, your best option is to contact Vimeo directly. They can look up your authentication tokens and expected signatures.
I want to make sure I have correctly understood the (draft) spec, which states:
The redirection endpoint URI MUST be an absolute URI as defined by
[RFC3986] section 4.3. The endpoint URI MAY include an
"application/x-www-form-urlencoded" formatted
([W3C.REC-html401-19991224]) query component ([RFC3986] section 3.4),
which MUST be retained when adding additional query parameters. The
endpoint URI MUST NOT include a fragment component.
Reason I ask is that neither Google or Facebook appear to preserve any querystrings.
Re-reading the spec it appears that the quoted section of the spec applies not to the OAuth server's handling of URIs but the OAuth client's handling of the original endpoint URI it is given.
In other words it's saying that if I say that my OAuth endpoint which you have to use when redirecting to my server for an OAuth authorization is:
http://example.com/oauth.php?endpoint=token
Then when the client is adding the ?response_type=code&client_id=...&state=...&redirect_uri=... to the URI it is not permitted to discard the "?endpoint=token" in the original endpoint uri and MUST use the URI:
http://example.com/oauth.php?endpoint=token&response_type=code&client_id=...&state=...&redirect_uri=...
So, at least as far as that part of the spec goes there's nothing there saying that Facebook, Google, etc... have to preserve any unknown query arguments besides the 'state' one.
Technically you might be able to use the &state= parameter to pass along custom data in say JSON format. Though that may or may not work. IIRC I noticed that Meetup's implementation of OAuth 2 appears to mangle the state when you use special characters. Something that I believe is against spec.
I've read all the threads about simiular issues on SO and elsewhere, and none of them have solved my problem.
I'm using Twython as a wrapper around the API. I've tried setting oauth_callback EVERYWHERE. Using the internal mechanism in Tython (which is done by setting callback_url on instantiation), by manually modifying the auth_url and appending the argument by before redirecting the user, etc. I've tried deleting and recreating both new twitter apps and new twitter accounts, to no avail.
Whenever I redirect the client to twitter, the correct oauth_callback is ALWAYS visible in the url along with the oauth_token, but the api always ignores this argument and overrides it with the url in the settings of my twitter app (both are under the same domain). I have tried figuring this out for several hours and I'm at a dead end. I've seen this work before and I've done it plenty of times, so I don't know what could possible be going wrong.
It's strange-- even if i set the callback to 'oob', which ought to trigger the PIN workflow rather than a callback, this argument is EVEN THEN ignored. Any ideas why?
You specify the oauth_callback value when you get a request token as specified in OAuth 1.0a. In 1.0 it you could pass it along with with the user when they go to twitter.com but was changed for security reasons. You can read more about it in the /oauth/request_token docs.