oauth_callback parameter in request for OAuthGetRequestToken in 3-legged OAuth results in an invalid signature

[GoogleCodeExporter]

What steps will reproduce the problem?

var auth = new OAuth3LeggedAuthenticator("test", "anonymous", "anonymous", 
null, null);
var request = auth.CreateHttpWebRequest("GET", new 
Uri("https://www.google.com/accounts/OAuthGetRequestToken?scope=https://docs.goo
gle.com/feeds/&oauth_callback=http://google.com"));

// alternatively:
//var settings = new RequestSettings("test", "anonymous", "anonymous", null, 
null) { UseSSL = true };
//var request = settings.CreateHttpWebRequest(null, "GET", new 
Uri("https://www.google.com/accounts/OAuthGetRequestToken?scope=https://docs.goo
gle.com/feeds/&oauth_callback=http://google.com"));

return new StreamReader(request.GetResponse().GetResponseStream()).ReadToEnd();

What is the expected output?

something like

oauth_token=4%2F0yF82nF-BdPGEQlFVtiOZ32Rbr1G&oauth_token_secret=vmc535qmtJ4V2xT5
r5fZjNkj

What do you see instead?

The remote server returned an error: (400) Bad Request.
signature_invalid 
base_string:GET&https%3A%2F%2Fwww.google.com%2Faccounts%2FOAuthGetRequestToken&o
auth_callback%3Dhttp%253A%252F%252Fgoogle.com%26oauth_consumer_key%3Danonymous%2
6oauth_nonce%3D56f191ed15214442bd35efbd692c0802%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1282240474%26oauth_version%3D1.0%26scope%3Dhttps%253A%2
52F%252Fdocs.google.com%252Ffeeds%252F

Original issue reported on code.google.com by iza.bill...@gmail.com on 19 Aug 2010 at 5:58

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

It seems that passing any parameter that begins with 'oauth_' in the query 
string will cause this failure.
Passing other arbitrary parameters work fine (ie, &foo=bar).

Original comment by iza.bill...@gmail.com on 19 Aug 2010 at 6:41

[GoogleCodeExporter]

The reason is that the oauth_callback parameter isn't being added to the query 
base string for generating the signature. Only non-oauth parameters are grabbed 
from the query string; the oauth paremeters are passed directly, but there 
isn't one for oauth_callback.

Basically, this makes it impossible to use 3-legged HMAC-SHA1 with this 
library...

Original comment by iza.bill...@gmail.com on 24 Aug 2010 at 1:49

[GoogleCodeExporter]

This patch fixes this particular use case, and is good enough for my needs. It 
probably causes other problems I am not aware of however.

Original comment by iza.bill...@gmail.com on 24 Aug 2010 at 5:31

Attachments:

• oauthbase.patch

[GoogleCodeExporter]

Original comment by ccherub...@google.com on 12 Dec 2010 at 1:17

[GoogleCodeExporter]

I found the same problem and made the same patch.  Can someone comment as to 
why the code wants to remove oauth_ query parameters and if there are any 
side-effects of removing this check?  If the check is useful for normal OAuth 
transactions, can explicit support be added for oauth_callback?

I, and I suspect many others, have had to write 3-legged OAuth support.  I have 
a 200-ish line C# file that is built on the GData Client library that I'd be 
happy to contribute.

Original comment by h...@iname.com on 14 Mar 2011 at 8:42

[GoogleCodeExporter]

Sorry, I haven't had time to work on this issue yet, so please attach your 
patch for 3-legged OAuth and I'll be glad to review and commit them as soon as 
possible.

Original comment by ccherub...@google.com on 14 Mar 2011 at 8:59

[GoogleCodeExporter]

I had problems with this base class too. It was fine when the query parameters 
didn't contain reseverd chars but if it did it generated a invalid signature. 
So setting ?scope was causing issues. 

I might be wrong but I extracted the code and added the following to the 
GenerateSignatureBase method

//Url Encode any parameters that may contain reserved characters
foreach (QueryParameter parameter in parameters)
{
      parameter.Value = this.UrlEncode(parameter.Value);
}

this ensured that the scope parameter was double escaped in the signature base 
string. Therefore setting sorting out the signature.

Don't know if this helps but it sorted my problems.

Original comment by davidsmo...@gmail.com on 16 Apr 2011 at 2:21

[GoogleCodeExporter]

3-legged OAuth support was thoroughly tested prior to releasing our own 
implementation in rev. 1123:

http://code.google.com/p/google-gdata/source/detail?r=1123

Original comment by ccherub...@google.com on 27 Dec 2011 at 4:23

• Changed state: Fixed