[oauth] Re: OAuth JS API results in signature_invalid at random
If you read my blog entry (listed below) on how I did this, I used a ProxyServlet to get around the SOP in browsers. http://raibledesigns.com/rd/entry/implementing_oauth_with_gwt Matt On Sat, Jun 20, 2009 at 4:22 PM, John Kristianjmkrist...@gmail.com wrote: Can a GWT application communicate cross-domain, with an OAuth service provider other than the GWT application server? How? I've read that browser security restrictions prevent this. http://www.mooreds.com/wordpress/archives/000500 On Jun 17, 8:28 am, Matt Raible mrai...@gmail.com wrote: I'm trying to use the JavaScript API to authenticate with OAuth from a GWT application. I've got it working with both Google and Twitter's OAuth implementations. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: OAuth JS API results in signature_invalid at random
Yes, your request for an access token should be signed with the request token secret; that is the oauth_token_secret that you received with your request token. Also, requests for access to APIs should be signed with the access token secret, that is the oauth_token_secret that you received with your access token. I'm surprised that the service provider accepts requests that are signed without the token secrets. Here's a simpler way to construct the URL for requesting an access token, or access to an API. It yields the same result, letting oauth.js handle more of the details. var accessor = { consumerKey: '...', consumerSecret: '...', token: '...', tokenSecret: '...'}; var message = { method: GET, action: http://...;, parameters: [ ['oauth_signature_method', 'HMAC-SHA1'], ['xoauth_requestor_id', guid], ['format', 'json']]}; OAuth.completeRequest(message, accessor); var signedURL = OAuth.addToURL(message.action, message.parameters); On Jun 17, 10:49 pm, Matt Raible mrai...@gmail.com wrote: ... Looking at both Paul Donnelly's and yours, neither contains the tokenSecret in the accessor that's used to sign the access_token request, as well as any API requests. Am I correct in assuming that the tokenSecret (the auth_token_secret value returned after getting the initial token) is needed for these two calls? To be clear, I can reliably get a token and authorize it. After that, it seems like getting an access_token works 50% of the time and calling the api (with auth_token as a param in the URL) works 30% of the time. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: OAuth JS API results in signature_invalid at random
Hey Matt, try the code below. It works reliably for me. Make sure you've included: http://oauth.googlecode.com/svn/code/javascript/oauth.js http://oauth.googlecode.com/svn/code/javascript/sha1.js script type=text/javascript var requestUrl = 'http://...'; var ck = '...'; var cks = '...'; var accessor = {consumerSecret: cks}; var message = { method: GET, action: requestUrl, parameters: [ ['oauth_signature_method', 'HMAC-SHA1'], ['oauth_consumer_key', ck], ['oauth_version', '1.0'], ['xoauth_requestor_id', guid], ['format', 'json'] ] }; OAuth.setTimestampAndNonce(message); OAuth.setParameter(message, oauth_timestamp, OAuth.timestamp ()); OAuth.SignatureMethod.sign(message, accessor); var finalUrl = OAuth.addToURL(message.action, message.parameters); /script On Jun 17, 8:28 am, Matt Raible mrai...@gmail.com wrote: Hello, I'm trying to use the JavaScript API to authenticate with OAuth from a GWT application. I've got it working with both Google and Twitter's OAuth implementations. However, it seems to fail to sign the URL at random. In other words, it works 1 out of 3 times. I'm using the following makeSignedRequest() function to create the signed URL. Fromhttp://paul.donnelly.org/2008/10/31/2-legged-oauth-javascript-functio... script type=text/javascript var makeSignedRequest = function(ck, cks, ts, encodedurl) { var accessor = { consumerSecret: cks, tokenSecret: ts}; var message = { action: encodedurl, method: GET, parameters: [ [oauth_version,1.0], [oauth_consumer_key,ck] ]}; OAuth.setTimestampAndNonce(message); OAuth.SignatureMethod.sign(message, accessor); var parameterMap = OAuth.getParameterMap(message); var baseStr = OAuth.decodeForm (OAuth.SignatureMethod.getBaseString(message)); var theSig = ; if (parameterMap.parameters) { for (var item in parameterMap.parameters) { for (var subitem in parameterMap.parameters[item]) { if (parameterMap.parameters[item][subitem] == oauth_signature) { theSig = parameterMap.parameters[item][1]; break; } } } } var paramList = baseStr[2][0].split(); paramList.push(oauth_signature= + theSig); paramList.sort(function(a, b) { if (a[0] b[0]) return -1; if (a[0] b[0]) return 1; if (a[1] b[1]) return -1; if (a[1] b[1]) return 1; return 0; }); var locString = ; for (var x in paramList) { locString += paramList[x] + ; } return baseStr[1][0] + ? + locString.slice(0, locString.length - 1); }; /script Any idea why this could be happening? Thanks, Matt --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---