[oauth] SimpleGeo requests returning 401 Unauthorized
Hello group,
We resolve ourselves to write our own mini client to SimpleGeo as
Google AppEngine constraints leave us no choice.
But as simple as it is, the Python code I wrote (which is pasted in
full below) returns 401 Unautorized responses all the time. And I was
wondering what can it be that I'm doing wrong and have other eyes take
a look at it.
Thanks a lot in advance for helping.
=
import hmac
import random
import urllib
import httplib
import hashlib
import binascii
import timestamp
HOST = 'api.simplegeo.com'
REALM = 'http://api.simplegeo.com'
METHOD = 'GET'
SIG_METHOD = 'HMAC-SHA1'
def url_path(layer, lat, lon):
path = '/0.1/records/%s/nearby/%s,%s.json' % (layer, lat, lon)
return path
def url_params(day):
params = {
'limit': 150,
'radius': 0.025,
'end': timestamp.day_end(day),
'start': timestamp.day_start(day),
}
return urllib.urlencode(sorted(params.items()))
def hmac_sha1_signature(path, params, secret):
raw = '&'.join(('GET', path, params))
hashed = hmac.new(secret, raw, hashlib.sha1)
# calculate the digest base 64
return binascii.b2a_base64(hashed.digest())[:-1]
def oauth_header(url_path, url_params):
apikey = 'GECfebmXCMSvPFk3tK2CePJf4HVMkvvU'
secret = 'YX6fj6wqJLKZBjRsFhqup3cMTgxkWPpB'
signature = hmac_sha1_signature(url_path, url_params, secret)
#signature = plaintext_signature(secret)
params = [
'OAuth realm="%s"' % REALM,
'oauth_nonce="%08d"' % random.randint(0, 1),
'oauth_timestamp="%s"' % timestamp.now(),
'oauth_consumer_key="%s"' % apikey,
'oauth_signature_method="%s"' % SIG_METHOD,
'oauth_signature="%s"' % signature,
'oauth_version="1.0"',
]
hd = {'Authorization': ', '.join(params)}
print hd
return hd
def nearby(layer, lat, lon, day):
conn = httplib.HTTPConnection(HOST, 80)
path = url_path(layer, lat, lon)
params = url_params(day)
header = oauth_header(path, params)
header.update({'Content-Type':'application/x-www-form-urlencode'})
url = path+'?'+params
print url
conn.request(METHOD, url, body=None, headers=header)
return conn
if __name__ == '__main__':
import datetime
c = nearby(
'com.simplegeo.global.twitter',
'39.3932481', '-76.6109441',
datetime.date.today()
)
r = c.getresponse()
print r.status, r.reason
--
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to oa...@googlegroups.com.
To unsubscribe from this group, send email to
oauth+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/oauth?hl=en.
[oauth] Re: SimpleGeo requests returning 401 Unauthorized
Several implementations of OAuth in Python already exist. It would probably help to use one, or at least look at its source code. For examples see http://oauth.net/code/ I'm not familiar with Python, but it looks like the code above fails to percent encode values in several places, and fails to include the oauth_ parameters in the signature base string (when computing the HMAC-SHA1 signature). I'm not sure whether the parameters are sorted correctly. A GET request should not have a Content-Type header, I think. application/x-www-form-urlencode is misspelled; it should be urlencoded (with a 'd' at the end). -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
[oauth] Re: SimpleGeo requests returning 401 Unauthorized
Wow! Thank you so much John. The goal was to avoided a bloated existing solution and do just what I need to do. I trimmed down the code for python-oauth2. Didn't know I was missing that much. I will let you know if it works. On Jul 18, 6:57 pm, John Kristian wrote: > Several implementations of OAuth in Python already exist. It would > probably help to use one, or at least look at its source code. For > examples seehttp://oauth.net/code/ > > I'm not familiar with Python, but it looks like the code above fails > to percent encode values in several places, and fails to include the > oauth_ parameters in the signature base string (when computing the > HMAC-SHA1 signature). I'm not sure whether the parameters are sorted > correctly. A GET request should not have a Content-Type header, I > think. application/x-www-form-urlencode is misspelled; it should be > urlencoded (with a 'd' at the end). -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
[oauth] Re: Timing Vulnerabilities in OAuth framework
John, Thanks for working on this. It looks like you're going to extra trouble to hide timing information about the length of the target string. In most cases such as HMAC, this isn't important. However, for plaintext passwords it could be. What will this be used for? Your ternary operator on the following line introduces a branch anyway, revealing timing information about the length of a and b: ((a.length == b.length) ? 0 : 1); If you continue with the goal of not revealing length information, this could be: int diff = a.length ^ b.length; In Java, I don't think anyone tries to prevent null pointer exceptions. The reference to a.length and b.length will trigger this exception if either argument is null. I guess you could catch that exception and return false but you should check with other developers if that is desired behavior. I also don't think you should have special handling for zero-length strings at all. Just returning false immediately if a.length != b.length should be sufficient. The function should probably be called something other than "equals()" to give more info about its implementation. The most important thing is to figure out what this will be used for. If only HMAC, removing the attempt to hide lengths would simplify the code tremendously. -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
Re: [oauth] "%" character in OAuth request token
On Thu, Jul 8, 2010 at 3:10 PM, Philip Bulley wrote: > Google are returning me a request token of > “4%252FcMF4t6Bc0i_ojIjMtZ4l1tB3ut4x” which plays havoc with subsequent > url encoding! Notice the “%” included in the token. > > It looks like you've got a double-escape %2F in there. The tokens usually have a "/" as the second character. Ivan.. -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
[oauth] Re: OAuth questions with Shindig
On Jun 1, 7:32 am, Normandes Jr wrote:
[...]
> My main problem for now is when I try to run this code:
> function fetchData() {
> var params = {};
> url = "http://www.google.com/m8/feeds/contacts/default/base?
> alt=json";
[...]
which language are you using?
-Thufir
--
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to oa...@googlegroups.com.
To unsubscribe from this group, send email to
oauth+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/oauth?hl=en.
[oauth] Is this even feasible?
Afternoon all, I am currently looking at implementing a company wide OAuth server. We use salesforce as a backing store for nearly everything we do now and it contains all our user information. Unfortunately, the force.com API wont let me arbitrarily validate user credentials (which is understandable) and we don't want to enable API access for all the users in our system, so that leave me with finding another option. Salesforce do however support OAuth and I was playing with the idea of my OAuth server, being an OAuth client of salesforce. I would have to get users to activate with salesforce the first time they came through the company OAuth server, but still, what are the general thoughts on this? It feels a bit hacky, but is it technically a sensible/feasible idea given the circumstance? Cheers, Tim -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
