[oauth] Re: OAuth Test Page
Thank you! (This made me track down and clean up some problems with the Ruby CLI.) FWIW, this is the output from the CLI (signature specifics aren't relevant here, though this helped me fix a few things): $ oauth --consumer-key "sd#asssdf^...@*%20" \ --consumer-secret "sdljk3hjk%SSD^^#%775" \ --token "&FSD\$fjkjkfkj%232" \ --secret "Ylknsdndm,n%%sdf%3245" \ --uri http://api.netflix.com/catalog/ \ --method GET \ --nonce 1234 \ --timestamp 1233798009 \ --parameters "term=Dark%20Knight&count=2" --realm "api.netflix.com" --verbose \ sign OAuth parameters: oauth_nonce: 1234 oauth_signature_method: HMAC-SHA1 oauth_token: &FSD$fjkjkfkj%232 oauth_timestamp: 1233798009 oauth_consumer_key: sd#asssdf...@*%20 oauth_version: 1.0 Method: GET Base URI: http://api.netflix.com/catalog/ Normalized params: count=2&oauth_consumer_key=SD%23ASssdF%5E%5E%24%40%2A%2520&oauth_nonce=1234&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1233798009&oauth_token=%26%26%23FSD%24fjkjkfkj%25232&oauth_version=1.0&term=Dark%20Knight Signature base string: GET&http%3A%2F%2Fapi.netflix.com%2Fcatalog%2F&count%3D2%26oauth_consumer_key%3DSD%2523ASssdF%255E%255E%2524%2540%252A%252520%26oauth_nonce%3D1234%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1233798009%26oauth_token%3D%2526%2526%2523FSD%2524fjkjkfkj%2525232%26oauth_version%3D1.0%26term%3DDark%2520Knight Request URI: http://api.netflix.com/catalog/?count=2&oauth_consumer_key=SD%23ASssdF%5E%5E%24%40%2A%2520&oauth_nonce=1234&oauth_signature=PdqTCnhkma6AbAVa5HQtcwN1sRg%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1233798009&oauth_token=%26%26%23FSD%24fjkjkfkj%25232&oauth_version=1.0&term=Dark%20Knight Normalized URI: http://api.netflix.com/catalog/ Authorization header: OAuth realm="api.netflix.com", oauth_nonce="1234", oauth_signature_method="HMAC-SHA1", oauth_token="%26%26%23FSD%24fjkjkfkj%25232", oauth_timestamp="1233798009", oauth_consumer_key="SD%23ASssdF%5E%5E%24%40%2A%2520", oauth_signature="PdqTCnhkma6AbAVa5HQtcwN1sRg%3D", oauth_version="1.0" Signature: PdqTCnhkma6AbAVa5HQtcwN1sRg= Escaped signature: PdqTCnhkma6AbAVa5HQtcwN1sRg%3D seth On Wed, Feb 4, 2009 at 5:22 PM, jr conlin wrote: > > Yep, caught that bug when I was adding the "advanced" section. (it's in > gray toward the bottom right). > I'll also add the Version string as a static field. > > thanks! > > Seth Fitzsimmons wrote: >> Fair enough. >> >> Upon further investigation, the "nonce" and "timestamp" fields aren't >> being respected (they're being generated regardless of input). >> >> seth >> >> On Wed, Feb 4, 2009 at 4:10 PM, jr conlin wrote: >> >>> Sure, I'll see what I can do about dumping that. (Possibly as an >>> "advanced" feature.) >>> >>> The API Key /Shared Secret is something that we use, partly because we >>> discovered a good deal of confusion about what "consumer" meant. (For >>> that matter, folks didn't understand the difference between "oauth" and >>> "consumer" either and would frequently swap them.) Since we provide the >>> key/secret with that term, I stuck with it here. >>> >>> Seth Fitzsimmons wrote: >>> Hey JR. This is great. It would be really helpful if you dumped the normalized parameter string and the signature base string as well as allowing the method to be overridden. I've found that the signature base string is usually the piece that doesn't match between implementations, so being able to compare them is really valuable. Is there a reason that you're using the "Api key" / "Shared secret" terminology instead of "Consumer key" / "Consumer secret"? seth On Wed, Feb 4, 2009 at 3:29 PM, jr conlin wrote: > Hi all, > > My apologies for being a slug and not staying on top of the OAuth > Library stuff, but I did want to pass along one tool I just pushed live. > > http://developer.netflix.com/resources/OAuthTest > > provides a third party page to prove your OAuth HMAC-SHA1 signature > generation, and allows you to set the nonce and timestamp in order to > validate that your signature matches the signature I'm generating. > > Considering the number of times I've been asked in forums about "why is > my signature generated by library X being rejected?", I figured it might > be helpful to have something like this. > > Although it's targeted for Netflix, it's obviously not restricted to > only Netflix calls. It also doesn't fetch or store tokens or secrets, so > you'd have to provide your own. > > Let me know if you have any questions or comments about this. (I'd love > to hear that someone else had already built something like this, but the > term.ie form seems to be more targeted toward fetching the request token.) > > > >>> >> >> > >> >> > > > > > --~--~-~--~~~---~--~~ You received this message because you are subscri
[oauth] Re: OAuth Test Page
Yep, caught that bug when I was adding the "advanced" section. (it's in gray toward the bottom right). I'll also add the Version string as a static field. thanks! Seth Fitzsimmons wrote: > Fair enough. > > Upon further investigation, the "nonce" and "timestamp" fields aren't > being respected (they're being generated regardless of input). > > seth > > On Wed, Feb 4, 2009 at 4:10 PM, jr conlin wrote: > >> Sure, I'll see what I can do about dumping that. (Possibly as an >> "advanced" feature.) >> >> The API Key /Shared Secret is something that we use, partly because we >> discovered a good deal of confusion about what "consumer" meant. (For >> that matter, folks didn't understand the difference between "oauth" and >> "consumer" either and would frequently swap them.) Since we provide the >> key/secret with that term, I stuck with it here. >> >> Seth Fitzsimmons wrote: >> >>> Hey JR. >>> >>> This is great. It would be really helpful if you dumped the >>> normalized parameter string and the signature base string as well as >>> allowing the method to be overridden. I've found that the signature >>> base string is usually the piece that doesn't match between >>> implementations, so being able to compare them is really valuable. >>> >>> Is there a reason that you're using the "Api key" / "Shared secret" >>> terminology instead of "Consumer key" / "Consumer secret"? >>> >>> seth >>> >>> On Wed, Feb 4, 2009 at 3:29 PM, jr conlin wrote: >>> >>> Hi all, My apologies for being a slug and not staying on top of the OAuth Library stuff, but I did want to pass along one tool I just pushed live. http://developer.netflix.com/resources/OAuthTest provides a third party page to prove your OAuth HMAC-SHA1 signature generation, and allows you to set the nonce and timestamp in order to validate that your signature matches the signature I'm generating. Considering the number of times I've been asked in forums about "why is my signature generated by library X being rejected?", I figured it might be helpful to have something like this. Although it's targeted for Netflix, it's obviously not restricted to only Netflix calls. It also doesn't fetch or store tokens or secrets, so you'd have to provide your own. Let me know if you have any questions or comments about this. (I'd love to hear that someone else had already built something like this, but the term.ie form seems to be more targeted toward fetching the request token.) >>> >> > > > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: OAuth Test Page
oauth_version is also being omitted (which is often defaulted in various libraries), making it a little trickier to compare things. seth On Wed, Feb 4, 2009 at 4:16 PM, Seth Fitzsimmons wrote: > Fair enough. > > Upon further investigation, the "nonce" and "timestamp" fields aren't > being respected (they're being generated regardless of input). > > seth > > On Wed, Feb 4, 2009 at 4:10 PM, jr conlin wrote: >> >> Sure, I'll see what I can do about dumping that. (Possibly as an >> "advanced" feature.) >> >> The API Key /Shared Secret is something that we use, partly because we >> discovered a good deal of confusion about what "consumer" meant. (For >> that matter, folks didn't understand the difference between "oauth" and >> "consumer" either and would frequently swap them.) Since we provide the >> key/secret with that term, I stuck with it here. >> >> Seth Fitzsimmons wrote: >>> Hey JR. >>> >>> This is great. It would be really helpful if you dumped the >>> normalized parameter string and the signature base string as well as >>> allowing the method to be overridden. I've found that the signature >>> base string is usually the piece that doesn't match between >>> implementations, so being able to compare them is really valuable. >>> >>> Is there a reason that you're using the "Api key" / "Shared secret" >>> terminology instead of "Consumer key" / "Consumer secret"? >>> >>> seth >>> >>> On Wed, Feb 4, 2009 at 3:29 PM, jr conlin wrote: >>> Hi all, My apologies for being a slug and not staying on top of the OAuth Library stuff, but I did want to pass along one tool I just pushed live. http://developer.netflix.com/resources/OAuthTest provides a third party page to prove your OAuth HMAC-SHA1 signature generation, and allows you to set the nonce and timestamp in order to validate that your signature matches the signature I'm generating. Considering the number of times I've been asked in forums about "why is my signature generated by library X being rejected?", I figured it might be helpful to have something like this. Although it's targeted for Netflix, it's obviously not restricted to only Netflix calls. It also doesn't fetch or store tokens or secrets, so you'd have to provide your own. Let me know if you have any questions or comments about this. (I'd love to hear that someone else had already built something like this, but the term.ie form seems to be more targeted toward fetching the request token.) >>> >>> > >>> >>> >> >> >> >> >> > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: OAuth Test Page
Fair enough. Upon further investigation, the "nonce" and "timestamp" fields aren't being respected (they're being generated regardless of input). seth On Wed, Feb 4, 2009 at 4:10 PM, jr conlin wrote: > > Sure, I'll see what I can do about dumping that. (Possibly as an > "advanced" feature.) > > The API Key /Shared Secret is something that we use, partly because we > discovered a good deal of confusion about what "consumer" meant. (For > that matter, folks didn't understand the difference between "oauth" and > "consumer" either and would frequently swap them.) Since we provide the > key/secret with that term, I stuck with it here. > > Seth Fitzsimmons wrote: >> Hey JR. >> >> This is great. It would be really helpful if you dumped the >> normalized parameter string and the signature base string as well as >> allowing the method to be overridden. I've found that the signature >> base string is usually the piece that doesn't match between >> implementations, so being able to compare them is really valuable. >> >> Is there a reason that you're using the "Api key" / "Shared secret" >> terminology instead of "Consumer key" / "Consumer secret"? >> >> seth >> >> On Wed, Feb 4, 2009 at 3:29 PM, jr conlin wrote: >> >>> Hi all, >>> >>> My apologies for being a slug and not staying on top of the OAuth >>> Library stuff, but I did want to pass along one tool I just pushed live. >>> >>> http://developer.netflix.com/resources/OAuthTest >>> >>> provides a third party page to prove your OAuth HMAC-SHA1 signature >>> generation, and allows you to set the nonce and timestamp in order to >>> validate that your signature matches the signature I'm generating. >>> >>> Considering the number of times I've been asked in forums about "why is >>> my signature generated by library X being rejected?", I figured it might >>> be helpful to have something like this. >>> >>> Although it's targeted for Netflix, it's obviously not restricted to >>> only Netflix calls. It also doesn't fetch or store tokens or secrets, so >>> you'd have to provide your own. >>> >>> Let me know if you have any questions or comments about this. (I'd love >>> to hear that someone else had already built something like this, but the >>> term.ie form seems to be more targeted toward fetching the request token.) >>> >>> >> >> > >> >> > > > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: OAuth Test Page
Heh. Yep, knew about that one, Rob. (Actually, thanks for reminding me to add it to our Resources page.) The problem with that one was that it wasn't available for some mobile platforms that were asking for something like this. I used your tool pretty heavily when I was trying to debug my library. Rob Richards wrote: > Hi JR, > > We also have a similar tool, though it's a windows based app. > http://solutions.mashery.com/docs/tips_and_tricks/oAuth > > I had written it for the same exact reasons :) > > Rob > > jr conlin wrote: > >> Hi all, >> >> My apologies for being a slug and not staying on top of the OAuth >> Library stuff, but I did want to pass along one tool I just pushed live. >> >> http://developer.netflix.com/resources/OAuthTest >> >> provides a third party page to prove your OAuth HMAC-SHA1 signature >> generation, and allows you to set the nonce and timestamp in order to >> validate that your signature matches the signature I'm generating. >> >> Considering the number of times I've been asked in forums about "why is >> my signature generated by library X being rejected?", I figured it might >> be helpful to have something like this. >> >> Although it's targeted for Netflix, it's obviously not restricted to >> only Netflix calls. It also doesn't fetch or store tokens or secrets, so >> you'd have to provide your own. >> >> Let me know if you have any questions or comments about this. (I'd love >> to hear that someone else had already built something like this, but the >> term.ie form seems to be more targeted toward fetching the request token.) >> >> >> >> > > > > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: OAuth Test Page
Sure, I'll see what I can do about dumping that. (Possibly as an "advanced" feature.) The API Key /Shared Secret is something that we use, partly because we discovered a good deal of confusion about what "consumer" meant. (For that matter, folks didn't understand the difference between "oauth" and "consumer" either and would frequently swap them.) Since we provide the key/secret with that term, I stuck with it here. Seth Fitzsimmons wrote: > Hey JR. > > This is great. It would be really helpful if you dumped the > normalized parameter string and the signature base string as well as > allowing the method to be overridden. I've found that the signature > base string is usually the piece that doesn't match between > implementations, so being able to compare them is really valuable. > > Is there a reason that you're using the "Api key" / "Shared secret" > terminology instead of "Consumer key" / "Consumer secret"? > > seth > > On Wed, Feb 4, 2009 at 3:29 PM, jr conlin wrote: > >> Hi all, >> >> My apologies for being a slug and not staying on top of the OAuth >> Library stuff, but I did want to pass along one tool I just pushed live. >> >> http://developer.netflix.com/resources/OAuthTest >> >> provides a third party page to prove your OAuth HMAC-SHA1 signature >> generation, and allows you to set the nonce and timestamp in order to >> validate that your signature matches the signature I'm generating. >> >> Considering the number of times I've been asked in forums about "why is >> my signature generated by library X being rejected?", I figured it might >> be helpful to have something like this. >> >> Although it's targeted for Netflix, it's obviously not restricted to >> only Netflix calls. It also doesn't fetch or store tokens or secrets, so >> you'd have to provide your own. >> >> Let me know if you have any questions or comments about this. (I'd love >> to hear that someone else had already built something like this, but the >> term.ie form seems to be more targeted toward fetching the request token.) >> >> > > > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: OAuth Test Page
Hi JR, We also have a similar tool, though it's a windows based app. http://solutions.mashery.com/docs/tips_and_tricks/oAuth I had written it for the same exact reasons :) Rob jr conlin wrote: > Hi all, > > My apologies for being a slug and not staying on top of the OAuth > Library stuff, but I did want to pass along one tool I just pushed live. > > http://developer.netflix.com/resources/OAuthTest > > provides a third party page to prove your OAuth HMAC-SHA1 signature > generation, and allows you to set the nonce and timestamp in order to > validate that your signature matches the signature I'm generating. > > Considering the number of times I've been asked in forums about "why is > my signature generated by library X being rejected?", I figured it might > be helpful to have something like this. > > Although it's targeted for Netflix, it's obviously not restricted to > only Netflix calls. It also doesn't fetch or store tokens or secrets, so > you'd have to provide your own. > > Let me know if you have any questions or comments about this. (I'd love > to hear that someone else had already built something like this, but the > term.ie form seems to be more targeted toward fetching the request token.) > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: OAuth Test Page
Hey JR. This is great. It would be really helpful if you dumped the normalized parameter string and the signature base string as well as allowing the method to be overridden. I've found that the signature base string is usually the piece that doesn't match between implementations, so being able to compare them is really valuable. Is there a reason that you're using the "Api key" / "Shared secret" terminology instead of "Consumer key" / "Consumer secret"? seth On Wed, Feb 4, 2009 at 3:29 PM, jr conlin wrote: > > Hi all, > > My apologies for being a slug and not staying on top of the OAuth > Library stuff, but I did want to pass along one tool I just pushed live. > > http://developer.netflix.com/resources/OAuthTest > > provides a third party page to prove your OAuth HMAC-SHA1 signature > generation, and allows you to set the nonce and timestamp in order to > validate that your signature matches the signature I'm generating. > > Considering the number of times I've been asked in forums about "why is > my signature generated by library X being rejected?", I figured it might > be helpful to have something like this. > > Although it's targeted for Netflix, it's obviously not restricted to > only Netflix calls. It also doesn't fetch or store tokens or secrets, so > you'd have to provide your own. > > Let me know if you have any questions or comments about this. (I'd love > to hear that someone else had already built something like this, but the > term.ie form seems to be more targeted toward fetching the request token.) > > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] OAuth Test Page
Hi all, My apologies for being a slug and not staying on top of the OAuth Library stuff, but I did want to pass along one tool I just pushed live. http://developer.netflix.com/resources/OAuthTest provides a third party page to prove your OAuth HMAC-SHA1 signature generation, and allows you to set the nonce and timestamp in order to validate that your signature matches the signature I'm generating. Considering the number of times I've been asked in forums about "why is my signature generated by library X being rejected?", I figured it might be helpful to have something like this. Although it's targeted for Netflix, it's obviously not restricted to only Netflix calls. It also doesn't fetch or store tokens or secrets, so you'd have to provide your own. Let me know if you have any questions or comments about this. (I'd love to hear that someone else had already built something like this, but the term.ie form seems to be more targeted toward fetching the request token.) --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Does OAuth support a 4 legged scenario?
Good points. Couple of thoughts: a) This looks like a Y OAuth or transitive OAuth or even federated SPs. b) Would this be solved by a scope artifact, which has two URLs Application1 and Application 2 (with associated restrictions et al, as required). Then the token can be used for both. c) Agreed on not replicating the user database. d) I assume even in this case user enters credentials only once. The key question is how do we propagate the trust fabric, securely. e) In short, I think there is no need for anything more in the specification; a usage pattern would suffice. Cheers |-Original Message- |From: oauth@googlegroups.com [mailto:oa...@googlegroups.com] On Behalf |Of J Kwan |Sent: Tuesday, February 03, 2009 2:42 AM |To: OAuth |Subject: [oauth] Re: Does OAuth support a 4 legged scenario? | | |I'm also interested in implementing something of similar structure as |well, though I'm not quite sure if it's actually feasible or can be |implemented with oauth at all. I'm actually quite conflicted on the |idea. |What I can see is, in this scenario, application 1 most likely has its |own set of user accounts that mirror the user accounts on the service |provider. That said, application 1's user accounts probably shouldn't |be directly linked or tightly coupled to the user accounts in the |service providers, otherwise, it seems to defeat the purpose of using |oauth to hide the actual user accounts information from the consumer. |If the user accounts are separated from the service provider (or at |least treated as such), then application 1 itself probably has to |become a service provider itself to allow application 2 to connect to |it, which means application 2 has to establish 2 different oauth |connections to both the original service provider and to application |1... |That leaves the problem of how to connect application 1 and the |service provider via application 2. | |It'd be nice if OAuth can be specified to solve such problem, |something like for a consumer to connect to a distributed set of |service providers, and the service providers can inter-communicate |based on a single oauth connection. | |Anyone else got other ideas? | |On Jan 23, 6:28 am, nate_fish wrote: |> Does OAuth support a 4 legged scenario? |> |> In this four legged scenario, there is a shared service |provider,application1 which holds the consumer data andapplication2 |which is |> trying to access data onapplication1. How would this scenario look |> to the user? |> |> My initial thought is thatapplication2 uses the OAuth 3 legged |> scenario to get access to the users data with Service Provider. They |> then use unique account id from service provider to identify user |withapplication1 and get authorization fromapplication1. |> |> Anyone solve for this yet or have any recommendations? | | --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] what is "Signature base string" in OAuth.?
Hi Guys, What is "Signature base string"?. Where can I use that along with the request?. I do not understand the use of that string. Even in the documentation also, it is not mentioned the use of the base string. Where can I apply that?. I am using HMAC-SHA1 method in Google API. I could only know that it would be used only in signing request & not for generating tokens. Is that correct?. Thanks in advance. Razak K --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Getting "Unknown authorization header Error 401" error in OAuth
Hi Guys, I am getting "Unknown authorization header Error 401" message when I try to access data from Google services using OAuth. What would be the problem?. I am using PHP as the back end and AJAX in the client side. Thanks Razak K --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---