search

pelle / oauth-plugin

Rails plugin for OAuth
http://stakeventures.com/articles/2009/07/21/consuming-oauth-intelligently-in-rails
MIT License
716 stars 216 forks source link

rack/oauth_filter in 0.4.0-pre6 still experimental #76

Open FransMaas opened 13 years ago

FransMaas commented 13 years ago

Hi,

I am upgrading our Rails app from 2.3.2 to 3.0.9

Was using oauth (0.3.6)

Now oauth (0.4.5) + oauth-plugin (0.4.0.pre6) + oauth2 (0.4.1)

Using Apache 2.2.14 and Passenger 3.0.7 on Fedora 10

The issue is that the rack/oauth_filter causes doesn't seem to be working. Comment in the file says it is still experimental.

What I see is that the request parameters aren't properly converted into the env structure request

For instance, OAuth::Signature.build is called with a request that only contains an env block which in turn contains HTTP_AUTHORIZATION: OAuth oauth_nonce="l7aa7zEgP4oEPeTmnvBNUzo4oMwr3N8ynXrt6P2kLM", oauth_signature_method="HMAC-SHA1", oauth_token="pamJcgXhQamroi0ehNSX", oauth_timestamp="1310131743", oauth_consumer_key="eLLSMZXqHM04NkVAv4TU", oauth_verifier="YU7H8lGOFxgjcuRh8w22", oauth_signature="xxrS40m5xjBF3GfM9lVEsGpBNOo%3D", oauth_version="1.0"

But signature.build expects request.signature_method to be filled, so it rejects the signature.

Some questions: Do I overlook something? Is there a better version of rack/oauth_filter available somewhere? Or is there an alternative at al;l for using oauth under rack/rails?

Looking forward to some useful answers, thanks.

Regards, Frans

FransMaas commented 13 years ago

Hi,

After debugging for a while I discovered that there is nothing wrong with the request building as such. The Signature builds a correct RackRequest proxy with the parameters in the right place. Then finds the signature class and creates a correct HMAC-SHA1 signature.

The point is that oauth1_verify throws a OAuth::Signature::UnknownSignatureMethod because the oauth_token can't be found among the tokens registered with client application.

The problem may be in the particular use case: we are entering straight away with an access token, and do not first collect a request token. The filter seems to assume that the request token is already know to the client_application.

I have to look further into this, but for the moment I want to avoid that anyone would be focussing on the request building issue as such. On hindside that doesn't appear to be the problem.

Regards, Frans

joshhepworth commented 12 years ago

How did you solve this problem? I seem to be experiencing the same thing, but I'm having trouble figuring out just how to fix it.

Thanks.