Skip Menu |

This queue is for tickets about the Net-OAuth2 CPAN distribution.

Report information
The Basics
Id: 96454
Status: resolved
Priority: 0/
Queue: Net-OAuth2
People
Owner: Nobody in particular
Requestors: sweisman [...] pobox.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: 0.59

History Show all quoted text
  Sat Jun 14 20:13:01 2014 sweisman [...] pobox.com - Ticket created
Subject: using client_id and client_secret in get_access_token()
Date: Sun, 15 Jun 2014 03:12:51 +0300
To: bug-Net-OAuth2 [...] rt.cpan.org
From: Scott Weisman <sweisman [...] pobox.com>
Hi there. I am using the OAuth2 service of QQ Catalyst. I had to step through your code to understand why get_access_token() would not work, even though everything up through that point worked fine. It turns out that QQ Catalyst's OAuth2 server did not like having the client_id and client_secret in the POST content. It returns with a 400. I removed these params from the content in the module and now everything is grand. Can you add a config option of whether to add an Auth header (with the encoded client_id and client_secret) or add those params to the POST body (or both)? i hate to rely on a customized CPAN module for my project to work. Thanks, Scott
  Sun Jun 15 17:00:10 2014 Mark [...] Overmeer.net - Correspondence added
Subject: Re: [rt.cpan.org #96454] using client_id and client_secret in get_access_token()
Date: Sun, 15 Jun 2014 22:59:53 +0200
To: Scott Weisman via RT <bug-Net-OAuth2 [...] rt.cpan.org>
From: Mark Overmeer <mark [...] overmeer.net>
* Scott Weisman via RT (bug-Net-OAuth2@rt.cpan.org) [140615 00:13]: Show quoted text
> Sat Jun 14 20:13:01 2014: Request 96454 was acted upon. > Transaction: Ticket created by sweisman@pobox.com > Queue: Net-OAuth2 > Subject: using client_id and client_secret in get_access_token() > Requestors: sweisman@pobox.com > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=96454 >
... Show quoted text
> It turns out that QQ Catalyst's OAuth2 server did not like having the > client_id and client_secret in the POST content.
Can you supply a patch, so I can see exactly what works for you? -- Regards, MarkOv ------------------------------------------------------------------------ Mark Overmeer MSc MARKOV Solutions Mark@Overmeer.net solutions@overmeer.net http://Mark.Overmeer.net http://solutions.overmeer.net
  Sun Jun 15 17:00:11 2014 The RT System itself - Status changed from 'new' to 'open'
  Mon Jun 16 02:06:54 2014 sweisman [...] pobox.com - Correspondence added
Subject: Re: [rt.cpan.org #96454] using client_id and client_secret in get_access_token()
Date: Mon, 16 Jun 2014 09:06:43 +0300
To: bug-Net-OAuth2 [...] rt.cpan.org
From: Scott Weisman <sweisman [...] pobox.com>
This is a hard-coded solution to make it work for the server I am connecting to in WebServer.pm (my additions and comments in bold): sub get_access_token($@) { my ($self, $code, @req_params) = @_; # rfc6749 section "2.3.1. Client Password" # header is always supported, client_id/client_secret may be. We do both. my $params = $self->access_token_params(code => $code, @req_params); my $basic = encode_base64 "$params->{client_id}:$params->{client_secret}" , ''; # no new-lines! *delete($$params{client_id}); # above you say that "header is always supported, client_id/client_secret may be. We do both."* *delete($$params{client_secret}); # At the server I am trying to auth with, **client_id/client_secret ARE NOT SUPPORTED and in fact cause the auth request to be denied.* *# so I delete them after $basic is calculated but before build_request is invoked, so they are not in the POST request body.* *# since header is ALWAYS supported as you say, that is the only needed method anyway* *# it just happens that sites like Google ignore them, but not all sites do* my $request = $self->build_request ( $self->access_token_method , $self->access_token_url , $params ); $request->headers->header(Authorization => "Basic $basic"); my $response = $self->request($request); Net::OAuth2::AccessToken->new ( profile => $self , auto_refresh => !!$self->auto_save , $self->params_from_response($response, 'access token') ); } On Mon, Jun 16, 2014 at 12:00 AM, Mark Overmeer via RT < bug-Net-OAuth2@rt.cpan.org> wrote: Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=96454 > > > * Scott Weisman via RT (bug-Net-OAuth2@rt.cpan.org) [140615 00:13]:
> > Sat Jun 14 20:13:01 2014: Request 96454 was acted upon. > > Transaction: Ticket created by sweisman@pobox.com > > Queue: Net-OAuth2 > > Subject: using client_id and client_secret in get_access_token() > > Requestors: sweisman@pobox.com > > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=96454 >
> ...
> > It turns out that QQ Catalyst's OAuth2 server did not like having the > > client_id and client_secret in the POST content.
> > Can you supply a patch, so I can see exactly what works for you? > -- > Regards, > MarkOv > > ------------------------------------------------------------------------ > Mark Overmeer MSc MARKOV Solutions > Mark@Overmeer.net solutions@overmeer.net > http://Mark.Overmeer.net http://solutions.overmeer.net > > >
  Mon Jun 16 02:26:51 2014 sweisman [...] pobox.com - Correspondence added
Subject: Re: [rt.cpan.org #96454] using client_id and client_secret in get_access_token()
Date: Mon, 16 Jun 2014 09:26:41 +0300
To: bug-Net-OAuth2 [...] rt.cpan.org
From: Scott Weisman <sweisman [...] pobox.com>
Here's the relevant quote from 2.3.1: Alternatively, the authorization server MAY support including the client credentials in the request-body using the following parameters: ... Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes). The parameters can only be transmitted in the request-body and MUST NOT be included in the request URI. As you see, this method MAY be supported, which also means it MAY NOT be. It may even be rejected, since there's no language preventing that in the RFC. Further, your "do both" solution violates the RFC. So, it's either best to add a new config option to the module (eg "send_secret_in_body" or something like that) or just remove it completely (since that is the RFC's recommended practice), as it is likely that no one will notice anyway. While your code clearly passed on big sites like Google, there may be many more sites like the one I encountered. That might even be the default for the OAuth2 library they're using. Net::OAuth2 works great, now that I figured out the problem. Once I got my head around how it works, it's very simple and easy to use. Thanks. One other thing. Why does an auth failure die? Yes, I can eval it, but why require that? Also, in order to diagnose the problem, I had to add debugging output to the code to print the entire request header and body. Some sort of verbose output would be nice. Scott On Mon, Jun 16, 2014 at 9:06 AM, Scott Weisman <sweisman@pobox.com> wrote: Show quoted text
> This is a hard-coded solution to make it work for the server I am > connecting to in WebServer.pm (my additions and comments in bold): > > sub get_access_token($@) > { my ($self, $code, @req_params) = @_; > > # rfc6749 section "2.3.1. Client Password" > # header is always supported, client_id/client_secret may be. We do > both. > my $params = $self->access_token_params(code => $code, @req_params); > my $basic = encode_base64 > "$params->{client_id}:$params->{client_secret}" > , ''; # no new-lines! > > *delete($$params{client_id}); # above you say that "header is always > supported, client_id/client_secret may be. We do both."* > *delete($$params{client_secret}); # At the server I am trying to auth > with, **client_id/client_secret ARE NOT SUPPORTED and in fact cause the > auth request to be denied.* > *# so I delete them after $basic is calculated but before build_request is > invoked, so they are not in the POST request body.* > *# since header is ALWAYS supported as you say, that is the only needed > method anyway* > *# it just happens that sites like Google ignore them, but not all sites > do* > > my $request = $self->build_request > ( $self->access_token_method > , $self->access_token_url > , $params > ); > > $request->headers->header(Authorization => "Basic $basic"); > my $response = $self->request($request); > > Net::OAuth2::AccessToken->new > ( profile => $self > , auto_refresh => !!$self->auto_save > , $self->params_from_response($response, 'access token') > ); > } > > > > On Mon, Jun 16, 2014 at 12:00 AM, Mark Overmeer via RT < > bug-Net-OAuth2@rt.cpan.org> wrote: >
>> <URL: https://rt.cpan.org/Ticket/Display.html?id=96454 > >> >> * Scott Weisman via RT (bug-Net-OAuth2@rt.cpan.org) [140615 00:13]:
>> > Sat Jun 14 20:13:01 2014: Request 96454 was acted upon. >> > Transaction: Ticket created by sweisman@pobox.com >> > Queue: Net-OAuth2 >> > Subject: using client_id and client_secret in get_access_token() >> > Requestors: sweisman@pobox.com >> > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=96454 >
>> ...
>> > It turns out that QQ Catalyst's OAuth2 server did not like having the >> > client_id and client_secret in the POST content.
>> >> Can you supply a patch, so I can see exactly what works for you? >> -- >> Regards, >> MarkOv >> >> ------------------------------------------------------------------------ >> Mark Overmeer MSc MARKOV Solutions >> Mark@Overmeer.net solutions@overmeer.net >> http://Mark.Overmeer.net http://solutions.overmeer.net >> >> >>
>
  Mon Jun 16 04:54:54 2014 solutions [...] overmeer.net - Correspondence added
Subject: Re: [rt.cpan.org #96454] using client_id and client_secret in get_access_token()
Date: Mon, 16 Jun 2014 10:54:33 +0200
To: Scott Weisman via RT <bug-Net-OAuth2 [...] rt.cpan.org>
From: Mark Overmeer <solutions [...] overmeer.net>
* Scott Weisman via RT (bug-Net-OAuth2@rt.cpan.org) [140616 06:07]: Show quoted text
> Queue: Net-OAuth2 > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=96454 > > > *delete($$params{client_id}); # above you say that "header is always > supported, client_id/client_secret may be. We do both."* > *delete($$params{client_secret}); # At the server I am trying to auth > with,
You get the %$params from a library. Please do not change such a HASH you got from a library, because in most cases you will be modifying the original! So, in the next call to collect these data, the records are missing. A safer option is local $params->{client_id}; local $params->{client_secret}; But I have chosen to implement an option flag Net::OAuth2::Profile::new(secrets_in_params) I send you my updated version in a separate email. Please test. -- Regards, MarkOv ------------------------------------------------------------------------ Mark Overmeer MSc MARKOV Solutions Mark@Overmeer.net solutions@overmeer.net http://Mark.Overmeer.net http://solutions.overmeer.net
  Mon Jun 16 04:57:35 2014 sweisman [...] pobox.com - Correspondence added
Subject: Re: [rt.cpan.org #96454] using client_id and client_secret in get_access_token()
Date: Mon, 16 Jun 2014 11:57:24 +0300
To: bug-Net-OAuth2 [...] rt.cpan.org
From: Scott Weisman <sweisman [...] pobox.com>
Thank you. My solution was quick and dirty. Thanks for the tip. On Mon, Jun 16, 2014 at 11:54 AM, Mark Overmeer via RT < bug-Net-OAuth2@rt.cpan.org> wrote: Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=96454 > > > * Scott Weisman via RT (bug-Net-OAuth2@rt.cpan.org) [140616 06:07]:
> > Queue: Net-OAuth2 > > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=96454 > > > > > *delete($$params{client_id}); # above you say that "header is always > > supported, client_id/client_secret may be. We do both."* > > *delete($$params{client_secret}); # At the server I am trying to auth > > with,
> > You get the %$params from a library. Please do not change such a HASH > you got from a library, because in most cases you will be modifying > the original! So, in the next call to collect these data, the records > are missing. > > A safer option is > local $params->{client_id}; > local $params->{client_secret}; > > But I have chosen to implement an option flag > Net::OAuth2::Profile::new(secrets_in_params) > > I send you my updated version in a separate email. Please test. > -- > Regards, > > MarkOv > > ------------------------------------------------------------------------ > Mark Overmeer MSc MARKOV Solutions > Mark@Overmeer.net solutions@overmeer.net > http://Mark.Overmeer.net http://solutions.overmeer.net > > >
  Wed Jun 17 04:30:49 2015 MARKOV [...] cpan.org - Status changed from 'open' to 'resolved'
  Wed Jun 17 04:30:55 2015 MARKOV [...] cpan.org - Fixed in 0.59 added