[oauth] Re: OAuth JS API results in signature_invalid at random
If you read my blog entry (listed below) on how I did this, I used a ProxyServlet to get around the SOP in browsers. http://raibledesigns.com/rd/entry/implementing_oauth_with_gwt Matt On Sat, Jun 20, 2009 at 4:22 PM, John Kristianjmkrist...@gmail.com wrote: Can a GWT application communicate cross-domain, with an OAuth service provider other than the GWT application server? How? I've read that browser security restrictions prevent this. http://www.mooreds.com/wordpress/archives/000500 On Jun 17, 8:28 am, Matt Raible mrai...@gmail.com wrote: I'm trying to use the JavaScript API to authenticate with OAuth from a GWT application. I've got it working with both Google and Twitter's OAuth implementations. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: OAuth JS API results in signature_invalid at random
Yes, your request for an access token should be signed with the
request token secret; that is the oauth_token_secret that you received
with your request token. Also, requests for access to APIs should be
signed with the access token secret, that is the oauth_token_secret
that you received with your access token. I'm surprised that the
service provider accepts requests that are signed without the token
secrets.
Here's a simpler way to construct the URL for requesting an access
token, or access to an API. It yields the same result, letting
oauth.js handle more of the details.
var accessor = {
consumerKey: '...',
consumerSecret: '...',
token: '...',
tokenSecret: '...'};
var message = {
method: GET,
action: http://...;,
parameters: [
['oauth_signature_method', 'HMAC-SHA1'],
['xoauth_requestor_id', guid],
['format', 'json']]};
OAuth.completeRequest(message, accessor);
var signedURL = OAuth.addToURL(message.action, message.parameters);
On Jun 17, 10:49 pm, Matt Raible mrai...@gmail.com wrote:
... Looking
at both Paul Donnelly's and yours, neither contains the tokenSecret
in the accessor that's used to sign the access_token request, as well
as any API requests. Am I correct in assuming that the tokenSecret
(the auth_token_secret value returned after getting the initial
token) is needed for these two calls?
To be clear, I can reliably get a token and authorize it. After that,
it seems like getting an access_token works 50% of the time and
calling the api (with auth_token as a param in the URL) works 30% of
the time.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
OAuth group.
To post to this group, send email to oauth@googlegroups.com
To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~--~~~~--~~--~--~---
[oauth] Re: OAuth JS API results in signature_invalid at random
Hey Matt, try the code below. It works reliably for me.
Make sure you've included:
http://oauth.googlecode.com/svn/code/javascript/oauth.js
http://oauth.googlecode.com/svn/code/javascript/sha1.js
script type=text/javascript
var requestUrl = 'http://...';
var ck = '...';
var cks = '...';
var accessor = {consumerSecret: cks};
var message = {
method: GET,
action: requestUrl,
parameters: [
['oauth_signature_method', 'HMAC-SHA1'],
['oauth_consumer_key', ck],
['oauth_version', '1.0'],
['xoauth_requestor_id', guid],
['format', 'json']
]
};
OAuth.setTimestampAndNonce(message);
OAuth.setParameter(message, oauth_timestamp, OAuth.timestamp
());
OAuth.SignatureMethod.sign(message, accessor);
var finalUrl = OAuth.addToURL(message.action,
message.parameters);
/script
On Jun 17, 8:28 am, Matt Raible mrai...@gmail.com wrote:
Hello,
I'm trying to use the JavaScript API to authenticate with OAuth from a
GWT application. I've got it working with both Google and Twitter's
OAuth implementations. However, it seems to fail to sign the URL at
random. In other words, it works 1 out of 3 times.
I'm using the following makeSignedRequest() function to create the
signed URL.
Fromhttp://paul.donnelly.org/2008/10/31/2-legged-oauth-javascript-functio...
script type=text/javascript
var makeSignedRequest = function(ck, cks, ts, encodedurl) {
var accessor = { consumerSecret: cks, tokenSecret: ts};
var message = { action: encodedurl, method: GET,
parameters: [
[oauth_version,1.0],
[oauth_consumer_key,ck]
]};
OAuth.setTimestampAndNonce(message);
OAuth.SignatureMethod.sign(message, accessor);
var parameterMap = OAuth.getParameterMap(message);
var baseStr = OAuth.decodeForm
(OAuth.SignatureMethod.getBaseString(message));
var theSig = ;
if (parameterMap.parameters) {
for (var item in parameterMap.parameters) {
for (var subitem in parameterMap.parameters[item])
{
if (parameterMap.parameters[item][subitem] ==
oauth_signature) {
theSig = parameterMap.parameters[item][1];
break;
}
}
}
}
var paramList = baseStr[2][0].split();
paramList.push(oauth_signature= + theSig);
paramList.sort(function(a, b) {
if (a[0] b[0]) return -1;
if (a[0] b[0]) return 1;
if (a[1] b[1]) return -1;
if (a[1] b[1]) return 1;
return 0;
});
var locString = ;
for (var x in paramList) {
locString += paramList[x] + ;
}
return baseStr[1][0] + ? + locString.slice(0,
locString.length - 1);
};
/script
Any idea why this could be happening?
Thanks,
Matt
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
OAuth group.
To post to this group, send email to oauth@googlegroups.com
To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~--~~~~--~~--~--~---
