Oauth not working

[mgod]

Moving the discussion here to keep our thread a little less specific on the docs page. The OAuth library you're using feels a little weak and poorly documented. I might take a look at https://github.com/requests/requests-oauthlib before you spend too much more time on this. With the current library, you need to be setting the http_method="POST" parameter on the from_consumer_and_token method. SERVER should be secure.splitwise.com and PORT should be 443. httplib.HTTPConnection should be httplib.HTTPSConnection.

I know our OAuth implementation can be a bit tricky and hard to test with as our testing tools are a little limited. It sounds like this is your first time working with OAuth? I'd be tempted to follow the example here for connecting to Twitter (https://github.com/simplegeo/python-oauth2) which should both give you a better feel for how OAuth works in an environment that is more forgiving and I believe (but haven't checked) that if you get this working on Twitter, you should be able to swap out the Twitter-specific constants for the Splitwise ones (and make the get_request_token a POST) and it should basically work.

I'm sorry I don't have a simpler solution for you! If you do get this all working, PLEASE let me know so I can make a note of a working python example for anyone else working on Splitwise

[sgang007]

The library that you suggested is a derived from the library I was using but it is much better. I used the library to write the oauth_test.py. According to the library, the url after authorization should return a PIN but the splitwise in not giving the PIN. Instead it just mentions, that 'you have authorized SplitUp'.

Here's a documentation on the PIN verification process in the twitter API but I can't find such a pin in splitwise. https://dev.twitter.com/oauth/pin-based

[mgod]

Whoops, my apologies, I forgot to specify that we only support the 3-legged login style.

[mgod]

And to clarify that, when you finish authorizing the user on Splitwise, the Splitwise app should redirect to whatever you configured as your redirect URL when you created the application. From that page (which should be one you control), you should be able to display the verifier to the user to use as a PIN.

[sgang007]

You mean to say my redirect URL should have a backend to accept the request coming after authorization and parse it to get the oauth_verifier which would then be used to get the access token.

But which is the redirect URL. Is it same as the callback URL or is it the homepage URL. Currently, after authorization its not redirecting anywhere it's just saying that 'You are authenticated'

Can localhost be a redirect URL? I want to test its working locally on my system before deploying.

[mgod]

Unfortunately, you can't use a non-public URL for the callback. The callback URL you used when you registered the application is what gets used by default. You might be able to override this by providing the callback url as a parameter in the authenticate call, but I'm not sure this works on Splitwise.

[sgang007]

I found a better way to do this. Chrome provides an inbuilt library for oauth authentication in its extensions. If the callback URL is given in the form .chromiumapp.org, it automatically handles the entire oauth authentication.

Just to be sure,is the client id is same as the consumer-key ? And the app-id is one that we get after registering the app on chrome store

Here is the doc on that : https://developer.chrome.com/apps/app_identity#register_provider

[mgod]

client id and consumer key should be the same. If you run into trouble getting that working in Chrome, ping me with report steps I can use to see the problem (I've done a couple of Chrome extensions before).

[sgang007]

I currently don't have a credit card as I am still a student. So, I won't be able to use the chrome api.

However, I will make the frontend for the app. If you have a chrome developer account, you can register for the app id. Otherwise, I would have to write a seperate backend code using REST API or something.

[sgang007]

Why can't this be used as the callback url: chrome-extension://cipbcahlikgkkdoapalnfonibophgdmk/popup.html

As given in this doc: https://api.yandex.com/oauth/doc/dg/reference/desktop-client.xml

I can write the backend to handle the request if it gets redirected to this url.

[mgod]

That should work. You might need to register that as a callback when you create the app on Splitwise.

[sgang007]

But this url can't be registered. It says URL is invalid during the registration process.

[mgod]

We might not do the best validation on our end. Let me take a look at our API registration process.

[mgod]

We should now allow callback urls using chrome-extension://... format. Can you give it a try and see if it works for you?

[sgang007]

Yes...the application can be registered now . I will write some backend code to test the link and get back to you later

[sgang007]

But chrome-extension:///index.html is a non-public url. So, even though the callback can be registered now but it can't successfully redirect after the authorization

[mgod]

You may need to publish the extension to get chrome to handle this correctly. I think you should be able to redirect to a URL that the OAuth server can't see as long as the local process can see it. I haven't played with this enough to be sure. I'm on a bit of a crunch this week, but I might have more time this weekend to play with this.

[alanhamlett]

I also like https://github.com/litl/rauth