Hi Dan, I'm implementing an OAuth provider but it's not clear exactly what parameters are going into the Signature Base String that Google is using for its RSA-SHA1 signature.
This document... http://code.google.com/apis/gadgets/docs/oauth.html ...provides a self-signed certificate, but only states that "iGoogle currently uses the RSA_SHA1 signature method (as defined in the OAuth standard)". I've tried every possible interpretation of the OAuth standard's algorithm for generating the Signature Base String that I could come up, but have failed to verify the signature included in the request token call to my server. Specifically, here is what my server is seeing (and more specific questions below): Request: GET /oauth/request_token/?scope=http://www.myprovider.com/oauth/ Authorization header: OAuth opensocial_owner_id=\"101691534457182538500\", opensocial_viewer_id=\"101691534457182538500\", opensocial_app_id=\"107449613425304803885\", opensocial_app_url=\"http%3A%2F%2Fhosting.gmodules.com%2Fig%2Fgadgets %2Ffile%2F102845035461294445368%2Fexercise_oauthtest_test.xml\", xoauth_signature_publickey=\"pub.1210278512.2713152949996518384.cer\", oauth_version=\"1.0\", oauth_timestamp=\"1232064795\", oauth_consumer_key=\"www.google.com\", oauth_signature_method=\"RSA-SHA1\", oauth_nonce=\"1232064795900179000\", oauth_signature=\"Ict %2FjUCWN4jIY1YD0CrGvV7RAM6ftgWgDF%2Fw4K2Wtb5r6OJ5lxRYKkfdw8UgqTS6gl %2FfwLilq9zBfJHvnC%2FQusrxmrdN%2BCdMytJd %2BRrIs2o77CE1GH5gCeX4ySoAhB26Q6x7%2BhQ81dKZ2xQPmSg9z6po %2BNi69b8KFy6LoDTbR8Y%3D\" My interpretation of the OAuth spec would lead to the Signature Base String: GET&http%3A%2F%2Fwww.myprovider.com%2Foauth%2Frequest_token %2F&oauth_consumer_key%3Dwww.google.com%26oauth_nonce%3D123206479590\ 0179000%26oauth_signature_method%3DRSA-SHA1%26oauth_timestamp %3D1232064795%26oauth_version%3D1.0%26opensocial_app_id%3D10744\ 9613425304803885%26opensocial_app_url%3Dhttp%3A%2F %2Fhosting.gmodules.com%2Fig%2Fgadgets%2Ffile %2F102845035461294445368%2Fex\ ercise_oauthtest_test.xml%26opensocial_owner_id %3D101691534457182538500%26opensocial_viewer_id %3D101691534457182538500 This was arrived at by using the scheme, authority, path, and sorted list of parameters from the Authorization header. And believe me, I've tried about 40 different combinations to create a Signature Base String, none of which I can verify the signature against. So, here is a great opportunity to update the documentation. When generating the Signature Base String used to sign the HTTP request... 1) this would disagree with the OAuth spec, but is Google including the "scope" query parameter? 2) when generating the absolute request URL, is Google dropping a trailing "/" from the query path? 3) is Google including the "xoauth_signature_publickey" value? By the way, the documentation on that page says "a self-signed certificate that should be easy to import into OAuth libraries implemented in various programming languages", which is funny, because I haven't yet found a single Python oauth provider that handles the RSA-SHA1 case, not one (hence I'm writing my own, and yes, I *will* donate it to the public domain). Thanks, -Mark --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "iGoogle Developer Forum" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Gadgets-API?hl=en -~----------~----~----~----~------~----~------~--~---
