Hi Dan, Thanks. I appreciate the response.
I've actually gone ahead and implemented my own OAuth Provider app for Django along with a Python extension that does the signing and verification. I've hardened the extension, but not yet the Django app. When I do I'll let you know. If I use a URL without a query string for the 3 OAuth Service URLs everything goes along swimmingly... <Request url="http://www.myprovider.com/oauth/request_token/"; method="GET" /> ...but when I add a query string... <Request url="http://www.myprovider.com/oauth/request_token/? scope=foobar" method="GET" /> ...things fall apart. I can no longer verify the Signature Base String. Not to worry, for now. I'll continue on without the additional parameter (the idea for which I got from Google) and make sure everything works, then try to add the query parameter later. A separate issue that I had mentioned was that I found plenty of code to do HMAC-SHA1 and PLAINTEXT verification, but nothing to do the RSA- SHA1 which is required by the downloaded Google certificate option (which is a whole lot easier from an administration standpoint, since Providers don't have to register every single Consumer secret with Google). Unfortunately, the missing bit for RSA-SHA1 signing/ verification is a decent OpenSSL extension for Python. That's the piece that I went ahead and wrote and hardened over the weekend. Thanks for your help. I'll keep you posted on the Django app. -Mark On Jan 20, 4:34 pm, "Dan (Google Employee)" <[email protected]> wrote: > Hi Mark, > > I've talked some of my more OAuth-experienced colleagues to try and > get these issues resolved. Here are responses to the points in your > posts: > > 1. Documentation/spec compliance: > Clearing up mistakes in documentation can be accomplished by > modifying: "iGoogle uses the draft OAuth Gadgets Extension to provide > the URL of the gadget on whose behalf the request > is being made to service providers" to instead read: "iGoogle uses the > OpenSocial specification [http://code.google.com/apis/opensocial/docs/ > 0.8/reference/gadgets/#gadgets.io_method_detail] to provide the URL of > the gadget on whose behalf the request is being made to service > providers". This change should be made shortly. > > Because we've opted to use the OpenSocial specification rather than > the OAuth Gadgets Extension, the request will include > opensocial_app_url instead of xoauth_app_url. > > 2. Is Google including the scope query parameter? > Google includes the scope query parameter: all query parameters and > application/x-www-form-urlencoded POST parameters are included. This > conforms to section 9.1.1 of the OAuth spec, which states that HTTP > GET parameters added to the URLs in the query part are included in the > signature base string. > > 3. Is the trailing / dropped from the query path? > The slash is not dropped. > > 4. Is Google including the "xoauth_signature_publickey" value? > Yes. All parameters are included in the base string. > > 5. Where is a python OAuth provider that supports RSA signature > verification? > This code is a good > example:http://code.google.com/p/oauth/source/browse/code/branches/termie/pyt... > > I hope this helps you get your signature base string/validation > working. If you have any other questions or comments, please let me > know. > > Thanks, > Dan > > On Jan 16, 1:10 pm, Mark Paine <[email protected]> wrote: > > > Just another quick note: > > > The document at...http://code.google.com/apis/gadgets/docs/oauth.html > > ...states that "Google uses the draft OAuth Gadgets Extension to > > provide the URL of the gadget on whose behalf the request is being > > made to service providers". > > > But the draft spec that it links to state specifically: > > > > This extension defines one additional OAuth parameter to be used in OAuth > > > requests originating from an > OAuth consumer: > > > xoauth_app_url: > > > The URL of the gadget originating the OAuth request. > > > A consumer MUST include the xoauth_app_url parameter in requests to the > > > the Request Token URL and > > > Access Token URL at the Service Provider > > > That's not what Google has implemented: > > > > opensocial_app_id%3D10744\9613425304803885 > > > opensocial_app_url%3Dhttp%3A%2F%2Fhosting.gmodules.com%2Fig%2Fgadgets%2Ffile%2F102845035461294445368%2Fexercise_oauthtest_test.xml > > > opensocial_owner_id%3D101691534457182538500 > > > opensocial_viewer_id%3D101691534457182538500 > > > Clearly, Google's implementation provides the same information by way > > of the "opensocial_app_url" information, but it cannot claim to adhere > > to the draft spec. > > > I'm sorry if it sounds like I just want to bash, but that's not my > > goal. I just want to have a clear roadmap along with clear and > > *correct* documentation to get there. I've made a big commitment to > > the gadgets platform and I'm hoping that Google will show the same > > commitment. > > > -Mark --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "iGoogle Developer Forum" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Gadgets-API?hl=en -~----------~----~----~----~------~----~------~--~---
