papiayeee / oauth-signpost

Automatically exported from code.google.com/p/oauth-signpost
0 stars 0 forks source link

401 error with the latest version (signpost-core-1.2-SNAPSHOT.jar) that's not there in 1.1 from June. #25

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. Run the attached file (this is a modified version of OAuthFireEagle
example but the urls modified to point to NetFlix which is a OAuth 1.0
compliant service provider). 
2. If you run the attached version using June version found in
OAuthFireEagle example
(http://oauth-signpost.googlecode.com/files/OAuthFireEagleExample.zip ),
there is no issue but if you use 1.2 version you will get a 401 error. 

I noticed this behavior in Android first where the result is pretty bad
(you get Received authentication challenge is null).

In the attached Java file, you have to replace consumer key and consumer
shared key with valid entries from NetFlix.

What is the expected output? What do you see instead?

What version of the product are you using? On what operating system?

Please provide any additional information below.

Original issue reported on code.google.com by spot...@gmail.com on 13 Jan 2010 at 8:33

Attachments:

GoogleCodeExporter commented 8 years ago
BTW, I failed to mention the OS. It's on Mac with Snow Leopard and JDK 1.6

Original comment by spot...@gmail.com on 13 Jan 2010 at 8:36

GoogleCodeExporter commented 8 years ago
I don't get it. What is that Main program supposed to do? You're configuring it 
with
NetFlix credentials and then you try to access a FireEagle resource with these.

Is that the actual code you're using?

Original comment by m.kaepp...@gmail.com on 13 Jan 2010 at 8:45

GoogleCodeExporter commented 8 years ago
Also, where do you see the 401? When retrieving one of the tokens or when 
sending the
signed POST?

Original comment by m.kaepp...@gmail.com on 13 Jan 2010 at 8:48

GoogleCodeExporter commented 8 years ago
I should have removed the commented out code that's referring to FireEagle 
stuff.
That commented code is not relevant for this (I am reattaching the file with
everything that's not relevant removed). 

I get 401 when I make the call "retrieveRequestToken(OAuth.OUT_OF_BAND)".

Original comment by spot...@gmail.com on 13 Jan 2010 at 9:55

Attachments:

GoogleCodeExporter commented 8 years ago
okay I found the reason. It's indeed because the Netflix implementation is 
buggy/non-
conformous. FireEagle had the same problem: they forbid empty parameters (e.g. 
oauth_token=), even though it's clearly demanded by the standard that ALL 
request 
parameters must be part of the signature, even those which are empty (cf. 
http://oauth.net/core/1.0a/#anchor13 section 9.1.1 paragraph 2).

You may want to raise an issue against the Netflix API about that.

Since this is the second time a service provider had this problem, I decided to 
include a compatibility flag into Signpost, which one can use to access service 
providers suffering from this issue. This will be part of the 1.2 release, 
which will 
happen soon.

Original comment by m.kaepp...@gmail.com on 13 Jan 2010 at 8:33

GoogleCodeExporter commented 8 years ago
the attached build fixes this problem in the test case you provided.

immediately after creating your consumer, do this:

        consumer.setCompatibilityModeForEmptyTokens(true);

and tell me if that fixes your problems.

Original comment by m.kaepp...@gmail.com on 13 Jan 2010 at 8:46

Attachments:

GoogleCodeExporter commented 8 years ago
in fact I just realized that the standard is not as clear on this as I 
thought... in 
appendix A2, it does NOT list the oauth_token parameter as part of the request 
in the 
example (http://oauth.net/core/1.0a/#anchor43).

You can still use that JAR I posted, but I may have to change it once more... 
standards, sigh.

Original comment by m.kaepp...@gmail.com on 13 Jan 2010 at 9:06

GoogleCodeExporter commented 8 years ago
Thanks a lot for a quick turn around. I will give a try and let you know.

Original comment by spot...@gmail.com on 13 Jan 2010 at 9:15

GoogleCodeExporter commented 8 years ago
I tried this with the snapshot you sent me but it looks like this core is
incompatible with the commons-http4-1.2-SNAPSHOT I have as I am getting the 
following
exception:

Exception in thread "main" java.lang.NoSuchMethodError:
oauth.signpost.AbstractOAuthConsumer.<init>(Ljava/lang/String;Ljava/lang/String;
Loauth/signpost/signature/SignatureMethod;)V
    at
oauth.signpost.commonshttp.CommonsHttpOAuthConsumer.<init>(CommonsHttpOAuthConsu
mer.java:12)
    at Main.main(Main.java:20)

Original comment by spot...@gmail.com on 13 Jan 2010 at 9:24

GoogleCodeExporter commented 8 years ago
Ah crap. Okay, maybe gimme another day for this so I can get this right.

I just had a brief discussion with the Netflix guys on their API forums, and 
the 
conclusion pretty much is that both client (Signpost) and server (Netflix) 
should 
make their implementations more relaxing.

I will change Signpost to NOT include the empty token anymore by default, since 
most 
service providers seem to either accept BOTH solutions (i.e. empty and 
non-empty 
tokens, e.g. Twitter and Google) or only non-empty tokens (like Netflix).

I will keep that switch though, so clients can decide themselves what they 
need, but 
that means you'll have to change your code once more since I'll reverse the 
logic of 
that switch (i.e. create a sendEmptyTokens(yesno) setter).

Thanks for bringing this up, looks like you have discovered a weak spot in the 
OAuth 
spec :-)

Original comment by m.kaepp...@gmail.com on 13 Jan 2010 at 9:33

GoogleCodeExporter commented 8 years ago
I released 1.2. I tested with Netflix and it works for me.

Can you please report back if 1.2 fixes this problem for you, so I can close 
the ticket.

Original comment by m.kaepp...@gmail.com on 28 Jan 2010 at 9:27

GoogleCodeExporter commented 8 years ago
OK. Will give a try but probably not until Monday. Thanks.

Original comment by spot...@gmail.com on 29 Jan 2010 at 2:13

GoogleCodeExporter commented 8 years ago
Matthias,
Yes, the latest version works for me.. Thanks for the good work. Go ahead and 
close
the ticket..

Suresh

Original comment by spot...@gmail.com on 3 Feb 2010 at 7:26

GoogleCodeExporter commented 8 years ago
good to hear.

Original comment by m.kaepp...@gmail.com on 3 Feb 2010 at 8:58

GoogleCodeExporter commented 8 years ago
i have the following error while i am trying to fetch the LinkedIn feeds:

Exception in thread "main" 
oauth.signpost.exception.OAuthCommunicationException: Communication with the 
service provider failed: api.linkedin.com

can somebody please help

Original comment by arushich...@gmail.com on 25 Dec 2012 at 5:53