[oauth] Re: new to oauth
Hi, Thanks for all the support. Further to this i need to check the nonce value to see if the incoming request is a valid(unique) one or not. Need your help on this. Thanks n Rgds, Anuradha --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: (request access token) Should oauth_verifier be in the same place than other oauth_ parameters?
Hi Florent,
I certainly couldn't see anything in the spec that addresses sending
OAuth parameters using a combination of GET, POST or Authorization
headers.
While I certainly think that it's a strange thing to do (seems like
more work for the Consumer Developer), I think as a Service Provider
you should support such a situation. I don't have any technical
rationale for this, I just think it's consistent with the Postel's Law
("be liberal in what you accept and conservative in what you do"). I
don't see any downside to accepting such behaviour, so why not make it
easier for those who do it?
Cheers,
Paul
On 2009-10-21, at 4:31 AM, Florent wrote:
> Hi everybody,
>
> I'm in pain figuring out whether the oauth_verifier can be sent back
> from the consumer to the provider in the body of a POST request when
> other parameters are sent in the authorization header.
>
> Here is my situation: I provide an API with OAuth, and one of our
> users complains he cannot get an access token. Looking at the request,
> he sent "usual" signature parameters in the header, and sent the
> oauth_verifier in the body.
>
> * Looking at the spec in the section about sending parameters to the
> provider (http://oauth.net/core/1.0a#consumer_req_param), parameters
> should be sent in the authorization header (prefered) or in the
> request body (second choice) or (... we don't care about this one).
> But it is not forbidden to mix the places !
>
> * Looking at the 9.1.1 part (http://oauth.net/core/1.0a#anchor13)
> about collecting the consumer's parameters, the parameters must be
> collected from various places. So it seems that the consumer can mix
> the places.
>
> So I have 2 questions:
> 1. Can the consumer send oauth parameters from various places (I
> understand oauth parameter as being part of the signature) ?
> 2. Is the oauth_verifier parameter, sent to the provider when
> requesting an access token, a parameter part of the signature, or just
> a request parameter?
>
> My understanding is that oauth_verifier is a regular oauth parameter,
> so it's part of the signature, and that all signature should be
> included in a single place.
>
> He tells me that the library he uses (a .net lib) works well with
> Twitter and Google amongst others. But it won't work with the one I
> use (Ruby OAuth + Rails OAuth plugin).
>
> Who's right here?
>
> Thanks,
> Florent.
>
> >
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to oauth@googlegroups.com
To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~--~~~~--~~--~--~---
[oauth] Re: (request access token) Should oauth_verifier be in the same place than other oauth_ parameters?
1. Yes, a consumer may send some parameters in a header and others in the body. 2. Yes, oauth_verifier is signed; that is, it's included in the Signature Base String. It sounds like the Ruby/Rails software needs work. On Oct 21, 1:31 am, Florent wrote: > 1. Can the consumer send oauth parameters from various places > (I understand oauth parameter as being part of the signature) ? > 2. Is the oauth_verifier parameter, sent to the provider when > requesting an access token, a parameter part of the signature, or > just a request parameter? > > My understanding is that oauth_verifier is a regular oauth parameter, > so it's part of the signature, and that all signature should be > included in a single place. > > He tells me that the library he uses (a .net lib) works well with > Twitter and Google amongst others. But it won't work with the one > I use (Ruby OAuth + Rails OAuth plugin). --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] (request access token) Should oauth_verifier be in the same place than other oauth_ parameters?
Hi everybody, I'm in pain figuring out whether the oauth_verifier can be sent back from the consumer to the provider in the body of a POST request when other parameters are sent in the authorization header. Here is my situation: I provide an API with OAuth, and one of our users complains he cannot get an access token. Looking at the request, he sent "usual" signature parameters in the header, and sent the oauth_verifier in the body. * Looking at the spec in the section about sending parameters to the provider (http://oauth.net/core/1.0a#consumer_req_param), parameters should be sent in the authorization header (prefered) or in the request body (second choice) or (... we don't care about this one). But it is not forbidden to mix the places ! * Looking at the 9.1.1 part (http://oauth.net/core/1.0a#anchor13) about collecting the consumer's parameters, the parameters must be collected from various places. So it seems that the consumer can mix the places. So I have 2 questions: 1. Can the consumer send oauth parameters from various places (I understand oauth parameter as being part of the signature) ? 2. Is the oauth_verifier parameter, sent to the provider when requesting an access token, a parameter part of the signature, or just a request parameter? My understanding is that oauth_verifier is a regular oauth parameter, so it's part of the signature, and that all signature should be included in a single place. He tells me that the library he uses (a .net lib) works well with Twitter and Google amongst others. But it won't work with the one I use (Ruby OAuth + Rails OAuth plugin). Who's right here? Thanks, Florent. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: new to oauth
The latest core .jar is in http://oauth.googlecode.com/svn/code/maven/net/oauth/core/oauth/20090825/ HttpRequestMessage and OAuthServlet are in http://oauth.googlecode.com/svn/code/maven/net/oauth/core/oauth-provider/20090531/ SampleOAuthProvider is in the .war file in http://oauth.googlecode.com/svn/code/maven/net/oauth/example/oauth-example-provider/20090105/ These files are in a Maven repository; so you might find it convenient to use Maven to download them and build your software. Source code for each .jar or .war is in the same folder, in a *-sources.jar file. On Oct 20, 10:16 pm, Anuradha Thota wrote: > The jar am currently using is "oauth-20090617.jar" . i need classes > "HttpRequestMessage.java","SampleOAuthProvider.java" , > "OAuthServlet.java" ,The jar doesnt seem to include these classes. > Which jar can i include to get the above classes also. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
