Closed GoogleCodeExporter closed 9 years ago
Thanks for bringing this up so quickly, it indeed seems that this is broken now.
I'm pretty sure this is because Signpost now sends the oauth_callback in the
Authorization header, next to all other oauth_* params. This seemed like a
sensible
thing to do, is (as far as I'm aware) not prohibited by the standard and was
actually
demanded by users as part of another ticket.
Although I'm not yet sure, this smells like a bug in Twitter. I had a look at
the
response, and it still sends oauth_callback_confirmed=true. It's also correctly
escaped, I checked that in the debug out.
I'm sorry for this, but regression testing against all the service providers
using
different configurations (e.g. out-of-band vs callback requests) is very time
consuming and difficult to automate. Looks like I have to come up with a
solution to
this so that this never happens again.
But first I'll have to find out why this is not working. I've turned to the
OAuth
group to make sure that I'm not off-spec with this, but I'm fairly sure I'm
not. Give
me a couple days to sort this out.
Meanwhile, you can fix Twitter by explicitly passing NULL as the callback
parameter -
- Twitter will then use whatever callback you configured for your application
on
their developer page.
Original comment by m.kaepp...@gmail.com
on 15 Mar 2010 at 7:51
No need to be apologetic. I only found this issue because I was still using
1.2.1-
SNAPSHOT from when I was having netflix issues, and my twitter code stopped
working
(while working on other exploratory features). This does seem pretty awkward to
test
properly, and as service providers increase, you increase your test complexity
linearly, another reason why non-standard handling of authentication is just a
ludicrous concept :P.
Perhaps setting up some sort of regression system against the biggest names
would be
feasible, but it's still not infallible, and it's not 100% coverage of all
possible
service providers. I'd be interested to see how you solve this test issue, as
continually increasing growth of test-complexity is an issue I deal with when
writing web applications, and I've still yet to find a really *good* solution.
Original comment by arcanef...@gmail.com
on 15 Mar 2010 at 8:00
Okay, so it was my stupidity after all. I double encode the callback in the
Auth
header, that's why it breaks.
I wanted to prepare a 1.2.1.1 hot-fix release anyway, since I discovered
another issue
that's fixed easily but currently prevents security realms from working (so
it's a
major defect, too).
Original comment by m.kaepp...@gmail.com
on 15 Mar 2010 at 8:53
Maybe two hot-fixes to get the callback working asap? :-)
Would be nice ...
Original comment by mgsi...@gmail.com
on 17 Mar 2010 at 10:15
yes should be done by the weekend, I do this in my spare time...
Original comment by m.kaepp...@gmail.com
on 17 Mar 2010 at 10:33
Original comment by m.kaepp...@gmail.com
on 21 Mar 2010 at 1:31
Original issue reported on code.google.com by
arcanef...@gmail.com
on 15 Mar 2010 at 6:59