search

requests / requests-oauthlib

OAuthlib support for Python-Requests!
https://requests-oauthlib.readthedocs.org/
ISC License
1.71k stars 421 forks source link

OAuth signature does not match with wordpress API #257

Open torejx opened 7 years ago

torejx commented 7 years ago

Hi,

I'm trying to perform a post request to wp api, but I get the error "signature does not match". The same request, sent through Postman, works.

The code

TOKEN = u'...'
URL = u'...'
CLIENT_KEY = u'...'
CLIENT_SECRET = u'...'
TOKEN = u'...'
TOKEN_SECRET = u'...'

def main():

    post = {
        'title': 'Test python',
        'content': 'message python',
        'status': 'publish'
    }

    oauth = OAuth1Session(CLIENT_KEY,
                   CLIENT_SECRET,
                   TOKEN,
                   TOKEN_SECRET,
                   signature_type='auth_header')

    r = oauth.post(URL + 'posts/', data=post)

Thanks!

Lukasa commented 7 years ago

Can you provide a bit more information please? For example, can you provide the full traceback? Versions of requests and requests-oauthlib? Can you also try not providing the signature type?

torejx commented 7 years ago

Sure.

Python 2.7.10 requests==2.11.1 requests-oauthlib==0.7.0

No luck without signature type.

I've use print_stack() for the traceback and it's useless... 


  File "wp.py", line 42, in <module>
    main()
  File "wp.py", line 20, in main
    traceback.print_stack()
Lukasa commented 7 years ago

Hang on, you said you're getting "signature does not match": where are you getting that error from?

torejx commented 7 years ago

Sorry, I forgot a part of code. I get the error into r.text, the json response.

Lukasa commented 7 years ago

Hrm. Are you confident your client details and resource owner details are correct?

torejx commented 7 years ago

Yes, I tried the same request with Postman and it worked.

singingwolfboy commented 6 years ago

Hi @torejx, it's been over a year since there there was any activity on this GitHub issue. Is this still a problem for you? If not, I'm going to close the issue.

If it is still a problem for you, can you provide a more detailed reproducible test case? It sounds like there's a problem with the way oauthlib is calculating the signature, so it would help if we could actually see the different signatures calculated by oauthlib vs Postman.

laurent-pck commented 2 years ago

Hi @singingwolfboy, I have a problem with signature verification and Magento2 API. It happens for GET requests with params containing space characters. Hence, it may not be related to this issue (POST request) but I think it could be if the content-type is application/x-www-form-urlencoded.

When I make a request, I receive a 401 Unauthorized. Signature verification fails on the server side.

Actually, I had this problem with rauth library (401 response) but it happens with requests-oauthlib too. I think that the ground reason could be the same as both libraries are based on requests.

In requests, RequestEncodingMixin::_encode_params() is used to url encode GET params. This method uses urllib.parse.urlencode, which encodes space character as +. For the signature, space characters are encoded with %20, as stated in Section 3.6 of RFC 5849. For signature verification on the server side, the Zend Framework computes the signature from the request, where space is encoded as +. At the end, the signature verification fails.

I don't know if rauth should encode space as %20 in the query string or if the Zend Framework should transform the + to %20 before computing the signature. The second choice seems to be a better option to comply to RFC 5849.

I did not try to confirm this for requests-oauthlib but maybe it could help to solve some signature mismatch problems.