Skip Menu |

This queue is for tickets about the Net-OAuth CPAN distribution.

Report information
The Basics
Id: 47369
Status: resolved
Priority: 0/
Queue: Net-OAuth
People
Owner: kgrennan [...] cpan.org
Requestors: cosimo [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: Normal
Broken in: 0.18
Fixed in: (no value)

History Show all quoted text
  Fri Jun 26 09:44:38 2009 cosimo [...] cpan.org - Ticket created
I'm almost done implementing an OAuth provider, starting to test some real world application. Right now I'm using the javascript demo here: http://oauth.googlecode.com/svn/code/javascript/example/index.html in particular, the "get request token" part. I see that the provided examples work. When I try with my own provider, it doesn't work. My provider signature verification is based on Net::OAuth. The only difference that I can see between the generated signature and the request one is that the base string is missing "oauth_version". The javascript library in the example does *not* include oauth_version in the arguments, and it doesn't include it also in the base string, while Net::OAuth does by default, even if the request has no oauth_version, because optional. I will try to investigate a bit more on this, to see if it's a problem that I am introducing in some obscure way. Reading the OAuth specs, it seems that oauth_version should *not* be included if it's not present in the request, but then I wonder why others using Net::OAuth don't have this problem.
  Fri Jun 26 09:49:09 2009 cosimo [...] cpan.org - Subject changed from (no value) to 'Signature generation always includes "oauth_version"?'
  Fri Jun 26 10:29:31 2009 cosimo [...] cpan.org - Correspondence added
Going into a bit more detail, it seems to me that the relevant code is in gather_message_parameters(): 130 sub gather_message_parameters { 131 my $self = shift; 132 my %opts = @_; 133 $opts{quote} = "" unless defined $opts{quote}; 134 $opts{params} ||= []; 135 my %params; 136 foreach my $k (@{$self->required_message_params}, @{$self- Show quoted text
>optional_message_params}, @{$opts{add}}) {
137 next if $k eq 'signature' and (!$self->sign_message or ! grep ($_ eq 'signature', @{$opts{add}})); 138 my $message_key = $self->is_extension_param($k) ? $k : OAUTH_PREFIX . $k; 139 $params{$message_key} = $self->$k; 140 } 141 if ($self->{extra_params} and !$opts{no_extra} and $self- Show quoted text
>allow_extra_params) {
142 foreach my $k (keys %{$self->{extra_params}}) { 143 $params{$k} = $self->{extra_params}{$k}; 144 } 145 if ($self->can('request_url')) { 146 my $url = $self->request_url; 147 _ensure_uri_object($url); 148 foreach my $k ($url->query_param) { 149 $params{$k} = $url->query_param($k); 150 } 151 } 152 } In particular, here: 136 foreach my $k (@{$self->required_message_params}, @{$self- Show quoted text
>optional_message_params}, @{$opts{add}}) {
the optional params (for example "oauth_version") are included even if they were missing from the original request. Can this cause the signature mismatch I'm experiencing?
  Fri Jun 26 10:29:32 2009 cosimo [...] cpan.org - Status changed from 'new' to 'open'
  Fri Jun 26 11:40:58 2009 kgrennan [...] cpan.org - Taken
  Fri Jun 26 11:42:28 2009 kgrennan [...] cpan.org - Correspondence added
Yeah, that's definitely the problem. What method are you using to create the message object? Could you paste a sample of the provider code that uses Net::OAuth? Thanks, Keith
  Fri Jun 26 13:13:36 2009 cosimo [...] cpan.org - Correspondence added
On Ven. 26 Giu. 2009 11:42:28, KGRENNAN wrote: Show quoted text
> Yeah, that's definitely the problem. What method are you using to > create the message object? Could you paste a sample of the provider > code that uses Net::OAuth?
This is the failing case. Note the absence of "oauth_version=1.0" from here. Adding oauth_version from the JS library makes everything work. my $req_obj = Net::OAuth->request('request_token')->from_hash( { # This data comes from the javascript example I mentioned oauth_consumer_key => 'demo_key', oauth_nonce => 'NpOBlV', oauth_timestamp => '1246036201', oauth_signature_method => 'HMAC-SHA1', oauth_signature => '8CKEAX9ElpgHvJVGVrtyYHIumME=', }, consumer_secret => 'demo_secret', request_method => 'GET', request_url => 'http://my.url.here', ); if (! $req_obj->verify()) { return "Something wrong"; }
  Fri Jun 26 13:40:30 2009 kgrennan [...] cpan.org - Correspondence added
Fixed in Net::OAuth 0.19 (will be up on CPAN shortly, or get it from http://oauth.googlecode.com/svn/code/perl/). Now when you use from_hash(), from_authorization_header(), from_url() or from_post_body(), the oauth_version parameter is not automatically added. However it is added if you use new() directly, to be backwards compatible. Thanks for the bug report - really appreciate it - I haven't heard from many people implementing OAuth providers using Net::OAuth, so I'm eager to get more feedback from you if you run into other problems.
  Fri Jun 26 13:40:32 2009 kgrennan [...] cpan.org - Status changed from 'open' to 'resolved'