What variables do we need to store when we authenticate a user using twitter connect ?
The oauth_token and oauth_token_secret that you get from the /oauth/access_token method is specific to the user and required to make future API requests. These do not expire but may be revoked at anytime.
To make an API request, you only need the following list of variables:
oauth_consumer_key
oauth_nonce
oauth_signature_method
oauth_token
oauth_timestamp
oauth_version
and the API method-specific variables.
See this example: http://dev.twitter.com/pages/auth#auth-request
Related
I'm busy with implementing reverse authentication on iOS. I'm making it on the base of this example and twitter documentation.
I'm trying to figure out whether the consumer secret is mandatory to perform STEP 1 from the docs (obtaining a special request token). The docs say:
As an example, consider a request with the following values signed with the consumer key JP3PyvG67rXRsnayOJOcQ and consmer secret ydC2yUbFaScbSlykO0PmrMjXFeLraSi3Q2HfTOlGxQM.
Seems like the secret is needed. But then it lists the parameters for the request:
oauth_consumer_key JP3PyvG67rXRsnayOJOcQ
oauth_nonce 1B7D865D-9E15-4ADD-8165-EF90D7A7D3D2
oauth_signature_method HMAC-SHA1
oauth_timestamp 1322697052
oauth_version 1.0
x_auth_mode reverse_auth
and there's no secret. and also no oath_signature. It then confirms my suspicion by the following:
These parameters should result in a signature base string that looks like this:
POST&https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&
oauth_consumer_key%3DJP3PyvG67rXRsnayOJOcQ%26
oauth_nonce%3D1B7D865D-9E15-4ADD-8165-EF90D7A7D3D2%26
oauth_signature_method%3DHMAC-SHA1%26
oauth_timestamp%3D1322697052%26
oauth_version%3D1.0%26
x_auth_mode%3Dreverse_auth
again, no secret and no oath_signature parameter. Then i look at the example app i have taken from the GitHub and see that it actually makes use of the secret. It makes some magic, mixes the secret with different strings, encrypts it and makes it into oauth_signature parameter which goes into the authorization header for its request. The complete authorisation header looks like this:
OAuth oauth_timestamp="1405695110", oauth_nonce="0C38A128-42B1-41D1-B31D-EBEBE8971470", oauth_version="1.0", oauth_consumer_key="u97hVQZtAcRbLWHv5CkONbaJ8", oauth_signature_method="HMAC-SHA1", oauth_signature="iuaqaN1MvFHyKMa95LFWXCxUfDM%3D"
The only difference between this and Twitter doc's example is that here is oauth_signature parameter (made from the secret) present. And the example works all right. I tried removing the secret when making the signature and received an error from Twitter.
So I am confused. The docs don't clearly state that the secret is required whereas the example uses it as its important part. So is it mandatory? And if not can you please explain how do I build a request without the secret?
I have tried to use OAuth2 to build a group settings service with the following:
def groupSettingsService(request):
CLIENT_SECRETS = os.path.join(os.path.dirname(__file__), 'client_secrets.json')
FLOW = client.flow_from_clientsecrets(CLIENT_SECRETS, scope=['https://www.googleapis.com/auth/apps.groups.settings'], message=tools.message_if_missing(CLIENT_SECRETS))
storage = Storage('groups-settings.dat')
credentials = storage.get()
if credentials is None or credentials.invalid:
credentials = run(FLOW, storage)
http = httplib2.Http()
http = credentials.authorize(http)
return discovery.build('groupssettings', 'v1', http=http)
But the problem is when the token isn't valid anymore (expires) it redirect to a page to tell a user to grant access again to that scope...things that is inappropriate for API calls !
is there a way to work with a username/password or client_secret to grant a full access permanently to the API without asking to grant access or not ?
You need to ask for access_type=offline when you redirect the user to Google.
You will than get an code, which can be exchanged (by POSTing with your client_id and client_secret) into an access_token (that is the one you are already using) and a refresh_token.
When your access_token expires, you can POST the refresh_token, client_id and client_secret to get another access_token. You can do that multiple times if you need (or weeks later...)
Did you save the credentials to storage upon getting a credentials successfully?
I want to get user profile for which I am using OAuth. http://developer.yahoo.com/oauth/guide/oauth-auth-flow.html
I have retreived the access token and now finally I need to call yahoo api by making a GET request according to http://developer.yahoo.com/oauth/guide/oauth-make-request.html#
The GET request I am sending is:-
http://social.yahooapis.com/v1/user/KMDUY7SWWTJOX4AS3XR47PNLQU/profile?format=json
&realm="yahooapis.com"
&oauth_consumer_key=my key
&oauth_nonce=24829.2331
&oauth_signature_method=plaintext
&oauth_timestamp=1219450170
&oauth_token=whole token here
&oauth_version=1.0
&auth_signature="consumer secret + token secret"
When I am sending this request it is giving me this error:-
{"error":{"lang":"en-US","description":"Please provide valid credentials. OAuth oauth_problem=\"token_rejected\", realm=\"yahooapis.com\""}}
Thankyou for your time and consideration.
I was having this issue for a while and then eventually I figured out that Yahoo! puts A= at the beginning of all of their access tokens in their response, but that is not actually part of the access token, so you should be sure to remove that part before responding back to Yahoo!
I hope this helps someone else that stumbles upon this page in the future.
probably in your case the issue is related with the protocol. You should use https when calling the Yahoo! API.
As they say in the Yahoo documentation here:
For requests to Yahoo API and Web services that require OAuth
authorization, you must use the HMAC-SHA1 encryption method because
requests are made insecurely using HTTP.
I followed the tutorial on https://dev.twitter.com/docs/auth/implementing-sign-twitter to use OAuth on my homepage. Everything worked and after the last step I have an oauth_token (after converting it to an access token) and an oauth_token_secret. Now I want to post a new status on twitter. So I did everything on this page https://dev.twitter.com/docs/auth/authorizing-request which is just a post request to /1/statuses/update.json. On that page nothing is said about the oauth_token_secret, so I haven't used it in my request and just have put the oauth_token in it. After submitting the post request twitter gives me the status code 401 Unauthorized. Why that? Do I have to use the oauth_token_secret somewhere?
The token secret is used to hash the signature base. Something like a password. You don't send the password, you use it to compute a secure hash of the thing the service sent to you. You send that secure hash, then the service checks that secure hash against the request you sent. If they match, you're authorized.
The gory details are described in the OAuth spec, RFC 5849.
Twitter uses OAuth1.0a, but is mostly consistent with that spec.
here's the relevant bit:
https://www.rfc-editor.org/rfc/rfc5849#section-3.4.2
I have a problem when trying to get the oauth_token and oauth_token_sceret from linkedin oauth api. I can get requestToken (1st request), but in the callback page (after the user approved the app) I'm trying to get the token and the secret but I always get 401 and it says the signature is invalid.
I'm posting the following values to https://api.linkedin.com/uas/oauth/accessToken:
- oauth_consumer_key
- oauth_nonce
- oauth_signature_method
- oauth_timestamp
- oauth_token
- oauth_verifier
- oauth_version
as a side note i don't understand why I'm getting the verifier (I don't need the PIN since it's running in a browser) .
The only way I was able to get the token and the secret was when I also post the "oauth_token_secret" I received in the 1st requrst (when I asked for requestToken).
But I can't get this oauth_token_secret in the callback page.
I found out you need to pass in the secret token you get in the first request for requestToken (1st request) to the access token and it is working.
Once you have the first stage done and you have the request token, you should have been passed back the request token and the verifier, per:
https://developer.linkedin.com/documents/oauth-overview
Then, pass the request token back along with the verifier in the same way you did for the request token (signing the request, etc) and you should receive the access token.