Deemoore / oauth-signpost

Automatically exported from code.google.com/p/oauth-signpost
0 stars 0 forks source link

Callback URL doesn't work with Twitter and 1.2.1-SNAPSHOT, but works with 1.2. #34

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?

OAuthProvider twitterProvider = new
DefaultOAuthProvider("http://twitter.com/oauth/request_token",
                "http://twitter.com/oauth/access_token",
"http://twitter.com/oauth/authorize");

OAuthConsumer twitterConsumer = new
DefaultOAuthConsumer("VFqtJrYSGatXtpACsHkcw","3RbwpCa2wkcvFj0J4xk0RXyDZSlSJGzdfI
g66ZLHmt8");

OAuthConsumer consumer = twitterConsumer;
OAuthProvider provider = twitterProvider;

String authUrl = provider.retrieveRequestToken(consumer,
"http://www.stefankendall.com:8080/test.jsp");

What is the expected output? What do you see instead?
The URL provided should properly encode the callback URL so that twitter
can redirect to the appropriate callback site. With 1.2.1-SNAPSHOT, the URL
appears to get encoded, and Twitter does not redirect, rather stating that
the given URL destination does not exist. 

What version of the product are you using? On what operating system?
1.2.1-SNAPSHOT. This works on 1.2, but fails on 1.2.1-SNAPSHOT. 

Original issue reported on code.google.com by arcanef...@gmail.com on 15 Mar 2010 at 6:59

GoogleCodeExporter commented 9 years ago
Thanks for bringing this up so quickly, it indeed seems that this is broken now.

I'm pretty sure this is because Signpost now sends the oauth_callback in the 
Authorization header, next to all other oauth_* params. This seemed like a 
sensible 
thing to do, is (as far as I'm aware) not prohibited by the standard and was 
actually 
demanded by users as part of another ticket.

Although I'm not yet sure, this smells like a bug in Twitter. I had a look at 
the 
response, and it still sends oauth_callback_confirmed=true. It's also correctly 
escaped, I checked that in the debug out.

I'm sorry for this, but regression testing against all the service providers 
using 
different configurations (e.g. out-of-band vs callback requests) is very time 
consuming and difficult to automate. Looks like I have to come up with a 
solution to 
this so that this never happens again.

But first I'll have to find out why this is not working. I've turned to the 
OAuth 
group to make sure that I'm not off-spec with this, but I'm fairly sure I'm 
not. Give 
me a couple days to sort this out.

Meanwhile, you can fix Twitter by explicitly passing NULL as the callback 
parameter -
- Twitter will then use whatever callback you configured for your application 
on 
their developer page.

Original comment by m.kaepp...@gmail.com on 15 Mar 2010 at 7:51

GoogleCodeExporter commented 9 years ago
No need to be apologetic. I only found this issue because I was still using 
1.2.1-
SNAPSHOT from when I was having netflix issues, and my twitter code stopped 
working 
(while working on other exploratory features). This does seem pretty awkward to 
test 
properly, and as service providers increase, you increase your test complexity 
linearly, another reason why non-standard handling of authentication is just a 
ludicrous concept :P.

Perhaps setting up some sort of regression system against the biggest names 
would be 
feasible, but it's still not infallible, and it's not 100% coverage of all 
possible 
service providers. I'd be interested to see how you solve this test issue, as 
continually increasing growth of test-complexity is an issue I deal with when 
writing web applications, and I've still yet to find a really *good* solution. 

Original comment by arcanef...@gmail.com on 15 Mar 2010 at 8:00

GoogleCodeExporter commented 9 years ago
Okay, so it was my stupidity after all. I double encode the callback in the 
Auth 
header, that's why it breaks.

I wanted to prepare a 1.2.1.1 hot-fix release anyway, since I discovered 
another issue 
that's fixed easily but currently prevents security realms from working (so 
it's a 
major defect, too).

Original comment by m.kaepp...@gmail.com on 15 Mar 2010 at 8:53

GoogleCodeExporter commented 9 years ago
Maybe two hot-fixes to get the callback working asap? :-)

Would be nice ...

Original comment by mgsi...@gmail.com on 17 Mar 2010 at 10:15

GoogleCodeExporter commented 9 years ago
yes should be done by the weekend, I do this in my spare time...

Original comment by m.kaepp...@gmail.com on 17 Mar 2010 at 10:33

GoogleCodeExporter commented 9 years ago

Original comment by m.kaepp...@gmail.com on 21 Mar 2010 at 1:31