[oauth] Re: OAuth Test Page
Sure, I'll see what I can do about dumping that. (Possibly as an advanced feature.) The API Key /Shared Secret is something that we use, partly because we discovered a good deal of confusion about what consumer meant. (For that matter, folks didn't understand the difference between oauth and consumer either and would frequently swap them.) Since we provide the key/secret with that term, I stuck with it here. Seth Fitzsimmons wrote: Hey JR. This is great. It would be really helpful if you dumped the normalized parameter string and the signature base string as well as allowing the method to be overridden. I've found that the signature base string is usually the piece that doesn't match between implementations, so being able to compare them is really valuable. Is there a reason that you're using the Api key / Shared secret terminology instead of Consumer key / Consumer secret? seth On Wed, Feb 4, 2009 at 3:29 PM, jr conlin jrcon...@gmail.com wrote: Hi all, My apologies for being a slug and not staying on top of the OAuth Library stuff, but I did want to pass along one tool I just pushed live. http://developer.netflix.com/resources/OAuthTest provides a third party page to prove your OAuth HMAC-SHA1 signature generation, and allows you to set the nonce and timestamp in order to validate that your signature matches the signature I'm generating. Considering the number of times I've been asked in forums about why is my signature generated by library X being rejected?, I figured it might be helpful to have something like this. Although it's targeted for Netflix, it's obviously not restricted to only Netflix calls. It also doesn't fetch or store tokens or secrets, so you'd have to provide your own. Let me know if you have any questions or comments about this. (I'd love to hear that someone else had already built something like this, but the term.ie form seems to be more targeted toward fetching the request token.) --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: OAuth Test Page
Yep, caught that bug when I was adding the advanced section. (it's in gray toward the bottom right). I'll also add the Version string as a static field. thanks! Seth Fitzsimmons wrote: Fair enough. Upon further investigation, the nonce and timestamp fields aren't being respected (they're being generated regardless of input). seth On Wed, Feb 4, 2009 at 4:10 PM, jr conlin jrcon...@gmail.com wrote: Sure, I'll see what I can do about dumping that. (Possibly as an advanced feature.) The API Key /Shared Secret is something that we use, partly because we discovered a good deal of confusion about what consumer meant. (For that matter, folks didn't understand the difference between oauth and consumer either and would frequently swap them.) Since we provide the key/secret with that term, I stuck with it here. Seth Fitzsimmons wrote: Hey JR. This is great. It would be really helpful if you dumped the normalized parameter string and the signature base string as well as allowing the method to be overridden. I've found that the signature base string is usually the piece that doesn't match between implementations, so being able to compare them is really valuable. Is there a reason that you're using the Api key / Shared secret terminology instead of Consumer key / Consumer secret? seth On Wed, Feb 4, 2009 at 3:29 PM, jr conlin jrcon...@gmail.com wrote: Hi all, My apologies for being a slug and not staying on top of the OAuth Library stuff, but I did want to pass along one tool I just pushed live. http://developer.netflix.com/resources/OAuthTest provides a third party page to prove your OAuth HMAC-SHA1 signature generation, and allows you to set the nonce and timestamp in order to validate that your signature matches the signature I'm generating. Considering the number of times I've been asked in forums about why is my signature generated by library X being rejected?, I figured it might be helpful to have something like this. Although it's targeted for Netflix, it's obviously not restricted to only Netflix calls. It also doesn't fetch or store tokens or secrets, so you'd have to provide your own. Let me know if you have any questions or comments about this. (I'd love to hear that someone else had already built something like this, but the term.ie form seems to be more targeted toward fetching the request token.) --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: OAuth Test Page
Thank you! (This made me track down and clean up some problems with the Ruby CLI.) FWIW, this is the output from the CLI (signature specifics aren't relevant here, though this helped me fix a few things): $ oauth --consumer-key sd#asssdf^...@*%20 \ --consumer-secret sdljk3hjk%SSD^^#%775 \ --token #FSD\$fjkjkfkj%232 \ --secret Ylknsdndm,n%%sdf%3245 \ --uri http://api.netflix.com/catalog/ \ --method GET \ --nonce 1234 \ --timestamp 1233798009 \ --parameters term=Dark%20Knightcount=2 --realm api.netflix.com --verbose \ sign OAuth parameters: oauth_nonce: 1234 oauth_signature_method: HMAC-SHA1 oauth_token: #FSD$fjkjkfkj%232 oauth_timestamp: 1233798009 oauth_consumer_key: sd#asssdf...@*%20 oauth_version: 1.0 Method: GET Base URI: http://api.netflix.com/catalog/ Normalized params: count=2oauth_consumer_key=SD%23ASssdF%5E%5E%24%40%2A%2520oauth_nonce=1234oauth_signature_method=HMAC-SHA1oauth_timestamp=1233798009oauth_token=%26%26%23FSD%24fjkjkfkj%25232oauth_version=1.0term=Dark%20Knight Signature base string: GEThttp%3A%2F%2Fapi.netflix.com%2Fcatalog%2Fcount%3D2%26oauth_consumer_key%3DSD%2523ASssdF%255E%255E%2524%2540%252A%252520%26oauth_nonce%3D1234%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1233798009%26oauth_token%3D%2526%2526%2523FSD%2524fjkjkfkj%2525232%26oauth_version%3D1.0%26term%3DDark%2520Knight Request URI: http://api.netflix.com/catalog/?count=2oauth_consumer_key=SD%23ASssdF%5E%5E%24%40%2A%2520oauth_nonce=1234oauth_signature=PdqTCnhkma6AbAVa5HQtcwN1sRg%3Doauth_signature_method=HMAC-SHA1oauth_timestamp=1233798009oauth_token=%26%26%23FSD%24fjkjkfkj%25232oauth_version=1.0term=Dark%20Knight Normalized URI: http://api.netflix.com/catalog/ Authorization header: OAuth realm=api.netflix.com, oauth_nonce=1234, oauth_signature_method=HMAC-SHA1, oauth_token=%26%26%23FSD%24fjkjkfkj%25232, oauth_timestamp=1233798009, oauth_consumer_key=SD%23ASssdF%5E%5E%24%40%2A%2520, oauth_signature=PdqTCnhkma6AbAVa5HQtcwN1sRg%3D, oauth_version=1.0 Signature: PdqTCnhkma6AbAVa5HQtcwN1sRg= Escaped signature: PdqTCnhkma6AbAVa5HQtcwN1sRg%3D seth On Wed, Feb 4, 2009 at 5:22 PM, jr conlin jrcon...@gmail.com wrote: Yep, caught that bug when I was adding the advanced section. (it's in gray toward the bottom right). I'll also add the Version string as a static field. thanks! Seth Fitzsimmons wrote: Fair enough. Upon further investigation, the nonce and timestamp fields aren't being respected (they're being generated regardless of input). seth On Wed, Feb 4, 2009 at 4:10 PM, jr conlin jrcon...@gmail.com wrote: Sure, I'll see what I can do about dumping that. (Possibly as an advanced feature.) The API Key /Shared Secret is something that we use, partly because we discovered a good deal of confusion about what consumer meant. (For that matter, folks didn't understand the difference between oauth and consumer either and would frequently swap them.) Since we provide the key/secret with that term, I stuck with it here. Seth Fitzsimmons wrote: Hey JR. This is great. It would be really helpful if you dumped the normalized parameter string and the signature base string as well as allowing the method to be overridden. I've found that the signature base string is usually the piece that doesn't match between implementations, so being able to compare them is really valuable. Is there a reason that you're using the Api key / Shared secret terminology instead of Consumer key / Consumer secret? seth On Wed, Feb 4, 2009 at 3:29 PM, jr conlin jrcon...@gmail.com wrote: Hi all, My apologies for being a slug and not staying on top of the OAuth Library stuff, but I did want to pass along one tool I just pushed live. http://developer.netflix.com/resources/OAuthTest provides a third party page to prove your OAuth HMAC-SHA1 signature generation, and allows you to set the nonce and timestamp in order to validate that your signature matches the signature I'm generating. Considering the number of times I've been asked in forums about why is my signature generated by library X being rejected?, I figured it might be helpful to have something like this. Although it's targeted for Netflix, it's obviously not restricted to only Netflix calls. It also doesn't fetch or store tokens or secrets, so you'd have to provide your own. Let me know if you have any questions or comments about this. (I'd love to hear that someone else had already built something like this, but the term.ie form seems to be more targeted toward fetching the request token.) --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en