scream78 / oauth

Automatically exported from code.google.com/p/oauth
0 stars 0 forks source link

[JS][PATCH] generate HTTP headers string #63

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Try to use the Authorization Header
2. no being able to
3. crying

What is the expected output? What do you see instead?

having a method to do it. Here is my proposal:

var header = OAuth.SignatureMethod.getHTTPHeader(realm, message, accessor);

Original issue reported on code.google.com by yoan.blanc on 14 Nov 2008 at 1:25

Attachments:

GoogleCodeExporter commented 9 years ago
In -r761 I added a similar method getAuthorizationHeader.  It expects the 
caller to 
provide a complete set of parameters, and returns the header value.  Example 
usage:

var message = {action: ..., method: ..., parameters: []};
OAuth.setTimestampAndNonce(message);
OAuth.SignatureMethod.sign(message);
var header = "Authorization: " + OAuth.getAuthorizationHeader("realm", 
message.parameters);

Original comment by jmkrist...@gmail.com on 14 Nov 2008 at 8:41

GoogleCodeExporter commented 9 years ago
Thank you very much, I'll see if it fits and how.

Original comment by yoan.blanc on 14 Nov 2008 at 8:48

GoogleCodeExporter commented 9 years ago
Oops, I bungled my first attempt.  -r762 should be better.

Original comment by jmkrist...@gmail.com on 14 Nov 2008 at 10:05

GoogleCodeExporter commented 9 years ago
-r763 adds a unit test and fixes more bugs.

Original comment by jmkrist...@gmail.com on 16 Nov 2008 at 8:06

GoogleCodeExporter commented 9 years ago
This bug has to be reopen as it's not fixed.

The new interface:

// action, method, parameters
OAuth.setTimestampAndNonce(message);
// consumerKey, consumerSecret, token, tokenSecret
OAuth.SignatureMethod.sign(message, accessor);

var header = OAuth.getAuthorizationHeader(realm, message);

And it's known to work ;-)

Changelog:
 - I added back (again) the oauth_version,
 - the token has to appear in the HTTP header but not in the baseString if empty.

One question, why setParameters, getParameters... ?

Original comment by yoan.blanc on 19 Nov 2008 at 3:51

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by jmkrist...@gmail.com on 19 Nov 2008 at 6:07

GoogleCodeExporter commented 9 years ago
-r764 is more useful, I hope.

Original comment by jmkrist...@gmail.com on 19 Nov 2008 at 7:08

GoogleCodeExporter commented 9 years ago
What about this important part:

+        if(!OAuth.getParameter(message, "oauth_token")) {
+            OAuth.setParameter(message, "oauth_token", "");
+        }

seen there:

http://code.google.com/p/oauth/source/browse/code/csharp/OAuthBase.cs#213

The spec says to only remove realm and oauth_signature but not oauth_token if 
empty. 
http://oauth.net/core/1.0/#anchor14

Cheers,

Original comment by yoan.blanc on 19 Nov 2008 at 7:39

GoogleCodeExporter commented 9 years ago
Here an Opera widget that connect to Google Calendar using OAuth. Widgets are 
free 
to do cross-domain stuff.

It contains a patch, with two things, very small, the second one applies to 
Google 
only, it's oAuth+Google...

// in: getAuthorizationHeader(
-            if (name.indexOf("oauth_") == 0) {
+            // Scope is a google thing...
+            if (name.indexOf("oauth_") == 0 || name === "scope") {

What to do with that?

Cheers,
with is not t

Original comment by yoan.blanc on 19 Nov 2008 at 11:20

Attachments:

GoogleCodeExporter commented 9 years ago
Yet another patch, to deal with the "oauth_token" thing, the service uses the C#
library so maybe the mistake is there.

 * baseString: should not contain oauth_token if empty
 * http header: contains oauth_token even empty

-- 
Yoan

Original comment by yoan.blanc on 20 Nov 2008 at 10:00

Attachments:

GoogleCodeExporter commented 9 years ago
Yes, the C# library is wrong.  I recommend you add oauth_token="" to the header 
in 
your application code, not the oauth.js library.

After some discussion, I think we arrived at a satisfactory oauth.js -r809.  It 
produces an Authorization header that contains only parameters whose names 
begin 
with 'oauth_'; that excludes 'scope'.

Original comment by jmkrist...@gmail.com on 26 Nov 2008 at 9:50

GoogleCodeExporter commented 9 years ago
Thanks for you work John!

Original comment by yoan.blanc on 26 Nov 2008 at 10:30