tianshanxuester / gdata-objectivec-client

Automatically exported from code.google.com/p/gdata-objectivec-client
Other
0 stars 0 forks source link

OAuth/GDataOAuthSignIn.m doesn't call callback URL #73

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Use GDataOAuthSignIn to authenticate with a callback to a 3rd party server 
by using [auth setCallback:@""]

What is the expected output? What do you see instead?
Callback URL should be called with the OAuth token. It called accessURL_ which 
does not contain the callback URL. It should instead call requestURL which has 
the properly formed callback URL plus the OAuth information.

Please use labels and text to provide additional information.

Here is a diff:

Index: Source/OAuth/GDataOAuthSignIn.m
===================================================================
--- Source/OAuth/GDataOAuthSignIn.m (revision 557)
+++ Source/OAuth/GDataOAuthSignIn.m (working copy)
@@ -293,7 +293,7 @@
   NSString *responseStr = [[redirectedRequest URL] query];
   [auth_ setKeysForResponseString:responseStr];

-  NSMutableURLRequest *request = [NSMutableURLRequest 
requestWithURL:accessURL_];
+  NSMutableURLRequest *request = [NSMutableURLRequest 
requestWithURL:requestURL];
   [auth_ addAccessTokenHeaderToRequest:request];

   GDataHTTPFetcher *fetcher = [GDataHTTPFetcher httpFetcherWithRequest:request];

Original issue reported on code.google.com by tbel...@gmail.com on 8 Sep 2010 at 3:45

GoogleCodeExporter commented 9 years ago
The callback URL is not a valid URL to fetch. The OAuth tokens are taken from 
the callback URL this way:

  NSString *responseStr = [[redirectedRequest URL] query];
  [auth_ setKeysForResponseString:responseStr];

Then the access token is obtained, signed by the auth information:

  NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:accessURL_];
  [auth_ addAccessTokenHeaderToRequest:request];

Do not use an empty callback URL. The URL need not be for a valid page, but it 
should not be empty, as it's used by the OAuth controller to determine when the 
OAuth dance has completed.

Original comment by gregrobbins on 9 Sep 2010 at 8:17

GoogleCodeExporter commented 9 years ago
Sorry the example wasn't clear. I want the iPhone client to authenticate to 
google to give my web application access to upload YouTube videos, in a manner 
similar to allowing access to post videos with an application on facebook.

If I use [auth setCallback:@"http://office.kinkast.com/googleoauth"] as the 
call back URL I'm still confident that it doesn't get called.

Here is a screenshot of the state at the GDataOAuthSignIn line in question.

Original comment by tbel...@gmail.com on 9 Sep 2010 at 9:08

Attachments:

GoogleCodeExporter commented 9 years ago
The callback URL is not supposed to be fetched/displayed/opened by an installed 
client. A redirect to it is just an indicator to the client that the web 
sign-in portion of the OAuth dance is completed (but OAuth is not yet done at 
that point.)

The OAuth controller on the iPhone is only for signing in for native iPhone 
apps. If you are authenticating for a web app, you should do the full OAuth on 
the web server, not in the iPhone app.

You can still use NSWorkspace to open a web page after the OAuth controller 
calls back into the iPhone app's delegate method. The auth object can then add 
authentication to any NSMutableURLRequest. 

But the callback URL is not the opportunity to open an authenticated page. At 
the point where the server redirects to the callback URL, OAuth has not even 
finished authorizing the user.

Original comment by gregrobbins on 9 Sep 2010 at 9:18

GoogleCodeExporter commented 9 years ago
Ah ok thanks for the information.

Original comment by tbel...@gmail.com on 9 Sep 2010 at 9:32