Freshbooks OAuth issue - oauth

Very quick question for FreshBooks OAuth. When requesting a Request Token you need to provide (among others) the oauth_signature method.
Is the signature the consumer key and the consumer secret separated by an ampersand? e.g.
_consumer_key_%26_consumer_secret_
where _consumer_key_ is the consumer key. _consumer_secret_ is the consumer secret and %26 is a url encoded ampersand.

Simple answer is I was using the request headers instead of the Authorization header.

Related

what's the meaning of the “gty” claim in a jwt token?

I have decoded JWT token using 'jwt.io' . I found one claim 'gty' in payload section. What is the meaning and significance of it.
gty is not a registered claim name as defined in RFC 7519.
Although I could not find any reference clearly stating it, it seems
auth0.com uses gty for the grant_type that was used to request the token. e.g. client-credentials or password
Here's an example in the Auth0 community in which grant_type password and the gty claim are mentioned.

twitter - request token failing

I have been toying around with the twitter API over the last few days, but seem to be stuck at requesting a "request token". (flow A)
Over at the twitter api, I should be hitting the following end point (https://api.twitter.com/oauth/request_token) and on a successful request this should net me an oauth_token, oauth_token_secret and oauth_callback_confirmed (should match what I pass). I attempted to just use my private key, but this of course is failing. Is my understanding of how to generate this request wrong?
I believe my issue is the way I am generating the oauth_signature. Reading the documentation at twitter, everything seems straight forward until I need to generate signing key documented Here. It states that the signing key should be Consumer Secret & OAuth token secret, but to me this is a circular reference. The response, for this request, should contain the oauth_token_secret.
With this request an empty oauth_token_secret is expected. Signing key should be consumer_secret&, the trailing & must be included.
Relevant quote from https://www.rfc-editor.org/rfc/rfc5849#section-3.4.2:
An "&" character (ASCII code 38), which MUST be included
even when either secret is empty.

Is Twitter consumer secret required for reverse authentication?

I'm busy with implementing reverse authentication on iOS. I'm making it on the base of this example and twitter documentation.
I'm trying to figure out whether the consumer secret is mandatory to perform STEP 1 from the docs (obtaining a special request token). The docs say:
As an example, consider a request with the following values signed with the consumer key JP3PyvG67rXRsnayOJOcQ and consmer secret ydC2yUbFaScbSlykO0PmrMjXFeLraSi3Q2HfTOlGxQM.
Seems like the secret is needed. But then it lists the parameters for the request:
oauth_consumer_key JP3PyvG67rXRsnayOJOcQ
oauth_nonce 1B7D865D-9E15-4ADD-8165-EF90D7A7D3D2
oauth_signature_method HMAC-SHA1
oauth_timestamp 1322697052
oauth_version 1.0
x_auth_mode reverse_auth
and there's no secret. and also no oath_signature. It then confirms my suspicion by the following:
These parameters should result in a signature base string that looks like this:
POST&https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&
oauth_consumer_key%3DJP3PyvG67rXRsnayOJOcQ%26
oauth_nonce%3D1B7D865D-9E15-4ADD-8165-EF90D7A7D3D2%26
oauth_signature_method%3DHMAC-SHA1%26
oauth_timestamp%3D1322697052%26
oauth_version%3D1.0%26
x_auth_mode%3Dreverse_auth
again, no secret and no oath_signature parameter. Then i look at the example app i have taken from the GitHub and see that it actually makes use of the secret. It makes some magic, mixes the secret with different strings, encrypts it and makes it into oauth_signature parameter which goes into the authorization header for its request. The complete authorisation header looks like this:
OAuth oauth_timestamp="1405695110", oauth_nonce="0C38A128-42B1-41D1-B31D-EBEBE8971470", oauth_version="1.0", oauth_consumer_key="u97hVQZtAcRbLWHv5CkONbaJ8", oauth_signature_method="HMAC-SHA1", oauth_signature="iuaqaN1MvFHyKMa95LFWXCxUfDM%3D"
The only difference between this and Twitter doc's example is that here is oauth_signature parameter (made from the secret) present. And the example works all right. I tried removing the secret when making the signature and received an error from Twitter.
So I am confused. The docs don't clearly state that the secret is required whereas the example uses it as its important part. So is it mandatory? And if not can you please explain how do I build a request without the secret?

MapMyFitness API OAuth questions

I am having some issues with MapMyFitness API. MapMyFitness uses OAuth 1.0
I am able to successfully get a temporary Authorization token/temporary secret Token combination from calling 3.1/oauth/request_token
After that, I am able to successfully direct the user to the Authorization page and get a redirect callback with a authorization verifier.
After that, I am, unfortunately, getting errors when trying to call 3.1/oauth/access_token. (HTTP error 401)
First of all, MMF documentation (http://api.mapmyfitness.com/3.1/oauth/access_token?doc) states: Exchange a request token and an authorization verifier for an access token. However, the list of input arguments in the documentation contains no mention of oauth_verifier. Should oauth_verifier that I have received with the redirect callback be passed to access_token call as an argument?
Secondly, it appears to me that perhaps I am not creating the signature correctly. For the 3.1/oauth/request_token call the key to generate the signature is 'XXX&' where XXX is the Consumer Secret Key assigned to my app by MapMyFitness. This works fine. For the 3.1/oauth/access_token call, I am using 'XXX&YYY' as a signature key where XXX is the Consumer Secret Key assigned to my app by MapMyFitness and YYY is the temporary Secret Token returned to me by the server during the 3.1/oauth/request_token call. Is that correct?
I would greatly appreciate any suggestions.
OK, I got it working. First of all, oauth_verifier DOES need to be included as part of parameters. For some reason, Map My Fitness does not include it in its list of required parameters, but it has to be there. Secondly - very important - according to OAuth 1.0 documentation, all parameters need to be in alphabetical order when creating the signature - otherwise there will be a signature mismatch and you'll get HTTP 401 error. Once I sorted my parameters in alphabetical order, I was able to exchange temporary MapMyFitness credentials to permanent ones.

oauth2 and imap connection with Gmail

I need to use oauth2 and imap to connect with Gmail, and I can see the code from https://github.com/simplegeo/python-oauth2:
import oauth2 as oauth
import oauth2.clients.imap as imaplib
# Set up your Consumer and Token as per usual. Just like any other
# three-legged OAuth request.
consumer = oauth.Consumer('your_consumer_key', 'your_consumer_secret')
token = oauth.Token('your_users_3_legged_token', 'your_users_3_legged_token_secret')
# Setup the URL according to Google's XOAUTH implementation. Be sure
# to replace the email here with the appropriate email address that
# you wish to access.
url = "https://mail.google.com/mail/b/your_users_email#gmail.com/imap/"
conn = imaplib.IMAP4_SSL('imap.googlemail.com')
conn.debug = 4
# This is the only thing in the API for impaplib.IMAP4_SSL that has
# changed. You now authenticate with the URL, consumer, and token.
conn.authenticate(url, consumer, token)
# Once authenticated everything from the impalib.IMAP4_SSL class will
# work as per usual without any modification to your code.
conn.select('INBOX')
print conn.list()
But I cannot understand the Consumer and Token here.
What do they mean?
How can I get key and secret for them respectively?
The client_id and client_secret I got from https://code.google.com/p/google-mail-oauth2-tools/wiki/OAuth2DotPyRunThrough. Is this Consumer or Token?
The above code sample is for OAuth 1, not OAuth 2. Consumer key and secret, token and token secret are all OAuth 1 terms.
I think the confusion is created by the fact that the Python library used is called "oauth2". In my understanding this is the second incarnation of an OAuth 1 library, the name is unfortunate.
The documentation for using OAuth 2 with Gmail is at:
https://developers.google.com/gmail/oauth_overview

Resources