Message signing with no token secret

[GoogleCodeExporter]

When obtaining an Unauthorized Request Token, the request must be signed 
http://oauth.net/core/#auth_step1) However, at that point a Token Secret is not 
available. The 
specification allows for this in section 9.2. HMAC-SHA1 
(http://oauth.net/core/#anchor16) by 
not requiring a Token Secret (the implication is that it's the url-encoded 
consumer secret 
followed by an "&" and nothing else)

HmacSha1MessageSigner.java:25
 String keyString = OAuth.percentEncode(getConsumerSecret()) + '&' + 
OAuth.percentEncode(getTokenSecret());

Which depends on oauth.signpost.OAuth.percentEncode, which depends on 
com.google.gdata.util.common.base.PercentEscaper, which fails with an NPE if 
the Token Secret 
is null.

A quick fix is to add a test in oauth.signpost.OAuth.percentEncode and just 
return an empty 
string in the parameter is null.

With that fix, I could access Twitter using OAuth.

Original issue reported on code.google.com by ckstj...@gmail.com on 7 May 2009 at 10:47

[GoogleCodeExporter]

Can you please test this again with the latest build (see downloads)? I believe 
I
already fixed this as part of another change.

If the problem persists, please let me know and I'll investigate further.

Original comment by m.kaepp...@gmail.com on 13 May 2009 at 3:47

• Changed state: Started

[GoogleCodeExporter]

Just checked again, this was resolved in changeset
http://code.google.com/p/oauth-signpost/source/detail?r=8

Thanks for reporting!

Original comment by m.kaepp...@gmail.com on 13 May 2009 at 8:15

• Changed state: Fixed