I think I cracked the holy grail (At least for me:-)).
Client Side:-
I am using following javascript code to make a web service call.
var map = { "Content-Type" : "application/soap+xml;
charset=utf-8"};
var params = {};
soapRequest =
"<?xml version=\"1.0\" encoding=\"utf-8\"?>" +
"<soap12:Envelope " +
"xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" " +
"xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"
" +
"xmlns:soap12=\"http://www.w3.org/2003/05/soap-envelope\">" +
"<soap12:Body>" +
"<" + method + " xmlns=\"" + ns + "\">" +
parameters.toXml() +
"</" + method +
"></soap12:Body></soap12:Envelope>";
params[gadgets.io.RequestParameters.METHOD] =
gadgets.io.MethodType.POST;
params[gadgets.io.RequestParameters.CONTENT_TYPE] =
gadgets.io.ContentType.DOM;
params[gadgets.io.RequestParameters.HEADERS] = map;
params[gadgets.io.RequestParameters.AUTHORIZATION] =
gadgets.io.AuthorizationType.SIGNED;
params[gadgets.io.RequestParameters.POST_DATA] = soapRequest;
gadgets.io.makeRequest(url, function(req){
SOAPClient._onSendSoapRequest(method, async, callback, context, wsdl,
req);
}, params);
When the post request reach Orkut Proxy Container, it generates a base
signature string (http://oauth.net/core/1.0/#anchor14) by Concatenate
Request Elements
The following items MUST be concatenated in order into a single
string. Each item is encoded (Parameter Encoding) and separated by an
‘&’ character (ASCII code 38), even if empty.
1. The HTTP request method used to send the request. Value MUST be
uppercase, for example: HEAD, GET , POST, etc.
In our case it is "POST"
2. The request URL from Section 9.1.2 (Construct Request URL).
In our case it is http://www.ApplicationServer.com/iApp/Service.asmx
3. The normalized request parameters string from Section 9.1.1
(Normalize Request Parameters).
The request parameters added are following:-
opensocial_owner_id 04260157720044639260
opensocial_viewer_id 04260157720044639260
opensocial_app_id 12536334869062616675
opensocial_app_url http://www.ApplicationServer.com/iApp/KM.xml
xoauth_signature_publickey pub.
1199819524.-1556113204990931254.cer
oauth_consumer_key orkut.com
oauth_timestamp 1222452522
oauth_nonce 1222452522836105000
Base signature string is signed(hashed) and a private key is input for
RSA-SHA1 algorithm and it generates a signature.
Finally orkut container makes a web service call to the application
server on behalf of orkut application.
IMPORTANT: Inside the web method all parameters added by orkut
container are available inside this.Context.Request.Params. These
parameters are
opensocial_owner_id 04260157720043639260
opensocial_viewer_id 04260157720043639260
opensocial_app_id 12536334849062616675
opensocial_app_url http://www.ApplicationServer.com/iApp/KM.xml
xoauth_signature_publickey pub.
1199819524.-1556113204990931254.cer
oauth_consumer_key orkut.com
oauth_timestamp 1222452522
oauth_nonce 1222452522836105000
oauth_signature_method RSA-SHA1
oauth_signature Q1xim4r9e+3LOpObb6GWhGkw41a8MTc9a
+bNuleE8jwRyymXbdZNJBIq3N2RoC9Ojri2ha1V43Mj0JfovNDpYKoPnAUlwsUGzAp7KzpXcdAeyUw6txeCtkVSdsiWw7NhX/
btdJs2dQzbMKBptGAfLdwjCYThmqLqwDicHU1Dr34=
Verification:-
I am using the code http://code.google.com/p/devdefined-tools/wiki/OAuth
by http://code.google.com/u/bittercoder/ (Thank you for help and great
work)
I created OpenSocialCertificates.cs that has content of certificate
pub.1199819524.-1556113204990931254.cer
*****OpenSocialCertificates.cs *****
using System.Security.Cryptography.X509Certificates;
using System.Text;
namespace DevDefined.OAuth
{
public class OpenSocialCertificates
{
private const string _orkutCertificate =
@"-----BEGIN CERTIFICATE-----
MIIDHDCCAoWgAwIBAgIJAMbTCksqLiWeMA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIG
A1UEChMLR29vZ2xlIEluYy4xDjAMBgNVBAsTBU9ya3V0MQ4wDAYDVQQDEwVscnlh
bjAeFw0wODAxMDgxOTE1MjdaFw0wOTAxMDcxOTE1MjdaMGgxCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChML
R29vZ2xlIEluYy4xDjAMBgNVBAsTBU9ya3V0MQ4wDAYDVQQDEwVscnlhbjCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAseBXZ4NDhm24nX3sJRiZJhvy9eDZX12G
j4HWAMmhAcnm2iBgYpAigwhVHtOs+ZIUIdzQHvHeNd0ydc1Jg8e+C+Mlzo38OvaG
D3qwvzJ0LNn7L80c0XVrvEALdD9zrO+0XSZpTK9PJrl2W59lZlJFUk3pV+jFR8NY
eB/fto7AVtECAwEAAaOBzTCByjAdBgNVHQ4EFgQUv7TZGZaI+FifzjpTVjtPHSvb
XqUwgZoGA1UdIwSBkjCBj4AUv7TZGZaI+FifzjpTVjtPHSvbXqWhbKRqMGgxCzAJ
BgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEU
MBIGA1UEChMLR29vZ2xlIEluYy4xDjAMBgNVBAsTBU9ya3V0MQ4wDAYDVQQDEwVs
cnlhboIJAMbTCksqLiWeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA
CETnhlEnCJVDXoEtSSwUBLP/147sqiu9a4TNqchTHJObwTwDPUMaU6XIs2OTMmFu
GeIYpkHXzTa9Q6IKlc7Bt2xkSeY3siRWCxvZekMxPvv7YTcnaVlZzHrVfAzqNsTG
P3J//C0j+8JWg6G+zuo5k7pNRKDY76GxxHPYamdLfwk=
-----END CERTIFICATE-----";
public static X509Certificate2 OrkutCertificate
{
get { return new
X509Certificate2(Encoding.ASCII.GetBytes(_orkutCertificate)); }
}
}
}
I added another method inside OAuthContextBuilder.cs because the
parameters using for validation are inside datastructure
request.Params
public OAuthContext FromHttpParams(HttpRequest request)
{
var context = new OAuthContext();
// Required to create signature base string
// Http Method
context.RequestMethod = request.HttpMethod;
//Request URL
context.RawUri = new Uri("http://" +
request.Params["SERVER_NAME"] + request.Params["SCRIPT_NAME"]);
//Request parameters
context.authParams.Add("opensocial_owner_id",
request.Params["opensocial_owner_id"]);
context.authParams.Add("opensocial_viewer_id",
request.Params["opensocial_viewer_id"]);
context.authParams.Add("opensocial_app_id",
request.Params["opensocial_app_id"]);
context.authParams.Add("opensocial_app_url",
request.Params["opensocial_app_url"]);
context.authParams.Add("xoauth_signature_publickey",
request.Params["xoauth_signature_publickey"]);
context.authParams.Add(Parameters.OAuth_Consumer_Key,
request.Params[Parameters.OAuth_Consumer_Key]);
context.authParams.Add(Parameters.OAuth_Signature_Method,
request.Params[Parameters.OAuth_Signature_Method]);
context.authParams.Add(Parameters.OAuth_Timestamp,
request.Params[Parameters.OAuth_Timestamp]);
context.authParams.Add(Parameters.OAuth_Nonce,
request.Params[Parameters.OAuth_Nonce]);
//Algorithm used for signing
context.SignatureMethod =
request.Params[Parameters.OAuth_Signature_Method];
//Signature
context.Signature =
request.Params[Parameters.OAuth_Signature];
return context;
}
Inside OAuthContext.cs I added a name value collection named
authParams
public OAuthContext()
{
...
...
...
...
...
//Akash
authParams = new NameValueCollection();
}
...
...
...
...
...
public NameValueCollection authParams
{
get
{
if (_authParams == null) _authParams = new
NameValueCollection();
return _authParams;
}
set { _authParams = value; }
}
...
...
...
...
...
Following is the code for generating signature based
public string GenerateSignatureBaseAuthParams()
{
var allParameters = new List<QueryParameter>();
allParameters.AddRange(authParams.ToQueryParameters());
// Returns signature based
return UriUtility.FormatParameters(RequestMethod, new
Uri(NormalizedRequestUrl), allParameters);
}
Here is the code for validation
private static string ValidateWithDevDefinedOAuth(HttpRequest req)
{
string str = "Validated";
try
{
OAuthContext context = new
OAuthContextBuilder().FromHttpParams(req);
var signer = new OAuthContextSigner();
var signingContext = new SigningContext { Algorithm =
DevDefined.OAuth.OpenSocialCertificates.OrkutCertificate.PublicKey.Key };
if (!signer.ValidateSignatureAuthParams(context,
signingContext))
{
str += "Validation Failed\n";
throw new OAuthException(context,
OAuthProblems.SignatureInvalid, "check certificate is still valid");
}
}
catch (OAuthException authEx)
{
str = authEx.Report.ToString();
}
return str;
}
The code I have added is not a production quality code(Quite obvious).
Thanks,
-Akash
On Sep 26, 11:05 pm, Akash <[EMAIL PROTECTED]> wrote:
> Thanks Raman & Jason. Now I have much better clarity on how things
> work.
>
> I tried the options you suggested and able to make lot of progress.
> Since I am making a web service call, I am wondering how to Generate
> Signature Base. Following is the JS code I am using to make the web
> service call.
>
> var map = { "Content-Type" : "application/soap+xml;
> charset=utf-8"};
>
> var params = {};
> soapRequest =
> "<?xml version=\"1.0\" encoding=\"utf-8\"?>" +
> "<soap12:Envelope " +
>
> "xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" " +
>
> "xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" " +
>
> "xmlns:soap12=\"http://www.w3.org/2003/05/soap-envelope\">" +
> "<soap12:Body>" +
> "<" + method + " xmlns=\"" + ns + "\">" +
> parameters.toXml() +
> "</" + method +
> "></soap12:Body></soap12:Envelope>";
> params[gadgets.io.RequestParameters.METHOD] =
> gadgets.io.MethodType.POST;
> params[gadgets.io.RequestParameters.CONTENT_TYPE] =
> gadgets.io.ContentType.DOM;
> params[gadgets.io.RequestParameters.HEADERS] = map;
> params[gadgets.io.RequestParameters.AUTHORIZATION] =
> gadgets.io.AuthorizationType.SIGNED;
> params[gadgets.io.RequestParameters.POST_DATA] = soapRequest;
>
> var req;
>
> gadgets.io.makeRequest("http://www.MyApplicationServer.com/
> iApp/Service.asmx", function(req){
> SOAPClient._onSendSoapRequest(method, async,
> callback, context,
> wsdl, req);
> }, params);
>
> Now coming to the application server side. For validation I have to
> generate signature base
>
> 1. The HTTP request method used to send the request. Value MUST be
> uppercase, for example: HEAD, GET , POST, etc.
> 2. The request URL from Section 9.1.2 (Construct Request URL).
> 3. The normalized request parameters string from Section 9.1.1
> (Normalize Request Parameters).
>
> #1 is POST
> #2 I think request URL should be "http://www.MyApplicationServer.com/
> iApp/Service.asmx". However the request is coming from orkut hence not
> sure. Please confirm.
> #3 According to the OAuth Spec
>
> ****
> The request parameters are collected, sorted and concatenated into a
> normalized string:
>
> 1. Parameters in the OAuth HTTP Authorization header (Authorization
> Header) excluding the realm parameter.
> 2. Parameters in the HTTP POST request body (with a content-type of
> application/x-www-form-urlencoded).
> 3. HTTP GET parameters added to the URLs in the query part (as defined
> by [RFC3986] (Berners-Lee, T., “Uniform Resource Identifiers (URI):
> Generic Syntax,” .) section 3).
>
> The oauth_signature parameter MUST be excluded.
> ****
> #1 Parameters in the OAuth HTTP Authorization header (Authorization
> Header) excluding the realm parameter.
>
> Within my web service the OAuth HTTP Authorization header are
> populated in this.Context.Request.Params datastructure
>
> oauth_consumer_key orkut.com
> oauth_signature_method RSA-SHA1
> oauth_timestamp 1222270545
> oauth_nonce 1222270545579299000
> oauth_signature KJy1Dz
> +tMNDhQjS0mtc2SrmG7X51evlmJiFtT1ztpX0pBVpT6i27Hr6MMf1svHqjLFjtxNFg+P2t/
> Mjm
> +bXS2AUdfsKlelTfTlQEEzyX973Kdk74/5UXoZZmItzYfCmKQuQRl3fWYch0226eujYGrh3lu47
> 1e4rDury8gIll5v8=
>
> this.Context.Request.Params datastructure has following parameters
> pertaining to opensocial:-
>
> opensocial_owner_id 04260157720044639260
> opensocial_viewer_id 04260157720044639260
> opensocial_app_id 12536334869062616675
> opensocial_app_url http://www.MyApplicationServer.com/iApp/KM.xml
> xoauth_signature_publickey pub.
> 1199819524.-1556113204990931254.cer
>
> I am wondering whether these parameter are also required for
> generating base signature? this.Context.Request.Params also contains
> many other parameters (listed in the end of this email) but I think
> they should not be used for generating base signature. Please correct
> me if I am wrong.
>
> #2. Parameters in the HTTP POST request body (with a content-type of
> application/x-www-form-urlencoded).
>
> Though http method used for request is POST but the content type I am
> using is "application/soap+xml;". Therefore the soap request that is
> part of post request should not user for generating base. Please
> correct me if I am wrong.
>
> 3. HTTP GET parameters added to the URLs in the query part (as defined
> by [RFC3986] (Berners-Lee, T., “Uniform Resource Identifiers (URI):
> Generic Syntax,” .) section 3).
>
> Since this is a post request I should not bother about it?
>
> Since I am very close to solution I will highly appreciate any help in
> this regard.
>
> Thanks,
> -Akash
>
> *****
> opensocial_owner_id 04260157720044639260
> opensocial_viewer_id 04260157720044639260
> opensocial_app_id 12536334869062616675
> opensocial_app_url http://www.MyApplicationServer.com/iApp/KM.xml
> xoauth_signature_publickey pub.
> 1199819524.-1556113204990931254.cer
> oauth_consumer_key orkut.com
> oauth_signature_method RSA-SHA1
> oauth_timestamp 1222270545
> oauth_nonce 1222270545579299000
> oauth_signature KJy1Dz
> +tMNDhQjS0mtc2SrmG7X51evlmJiFtT1ztpX0pBVpT6i27Hr6MMf1svHqjLFjtxNFg+P2t/
> Mjm
> +bXS2AUdfsKlelTfTlQEEzyX973Kdk74/5UXoZZmItzYfCmKQuQRl3fWYch0226eujYGrh3lu47
> 1e4rDury8gIll5v8=
> ALL_HTTP HTTP_CACHE_CONTROL:private
> HTTP_CONTENT_LENGTH:367
> HTTP_CONTENT_TYPE:application/soap+xml; charset=utf-8
> HTTP_ACCEPT_ENCODING:gzip
> HTTP_HOST:www.MyApplicationServer.com
> HTTP_USER_AGENT:Google OpenSocial agent (http://www.google.com/
> feedfetcher.html)
>
> ALL_RAW Cache-Control: private
> Content-Length: 367
> Content-Type: application/soap+xml; charset=utf-8
> Accept-Encoding: gzip
> Host:www.MyApplicationServer.com
> User-Agent: Google OpenSocial agent (http://www.google.com/
> feedfetcher.html)
>
> APPL_MD_PATH /LM/W3SVC/491520/ROOT/iApp
> APPL_PHYSICAL_PATH E:\web\MyApplicationServer\htdocs\iApp\
> AUTH_TYPE
> AUTH_USER
> AUTH_PASSWORD
> LOGON_USER
> REMOTE_USER
> CERT_COOKIE
> CERT_FLAGS
> CERT_ISSUER
> CERT_KEYSIZE
> CERT_SECRETKEYSIZE
> CERT_SERIALNUMBER
> CERT_SERVER_ISSUER
> CERT_SERVER_SUBJECT
> CERT_SUBJECT
> CONTENT_LENGTH 367
> CONTENT_TYPE application/soap+xml; charset=utf-8
> GATEWAY_INTERFACE CGI/1.1
> HTTPS off
> HTTPS_KEYSIZE
> HTTPS_SECRETKEYSIZE
> HTTPS_SERVER_ISSUER
> HTTPS_SERVER_SUBJECT
> INSTANCE_ID 491520
> INSTANCE_META_PATH /LM/W3SVC/491520
> LOCAL_ADDR 64.22.138.6
> PATH_INFO /iApp/Service.asmx
> PATH_TRANSLATED E:\web\MyApplicationServer\htdocs\iApp
> \Service.asmx
> QUERY_STRING
> opensocial_owner_id=04260157720044639260&opensocial_viewer_id=042601577
> 20044639260&opensocial_app_id=12536334869062616675&opensocial_app_u
> rl=http
> %3A%2F%2Fwww.MyApplicationServer.com%2FiApp
> %2FMyApplicationServer.xml&xoauth_signature_publickey=pub.
> 1199819524.-1556113204990931254.cer&oauth_consumer_key=orkut.com&oa
> uth_signature_method=RSA-
> SHA1&oauth_timestamp=1222446709&oauth_nonce=1222446709021876000&
> ;oauth_signature=LTpKRq12Oai5r
> %2Fa4jlXDcjS%2Ff6rI1LdGfFHgmIHZ
> %2B8MjKdBWcOBZkCIv0IT8TArLj3AefWGWIRJfQobfdLpXZUQXbdDOJI5%2BrjXd2jPLJPKZ5gk
> dzpwdC7O38GJymgbWe8k1g9l98SE08do37bwIjNYu
> %2BS9n%2BtmtmHSfCC3L80g%3D
> REMOTE_ADDR 66.249.85.131
> REMOTE_HOST 66.249.85.131
> REMOTE_PORT 58435
> REQUEST_METHOD POST
> SCRIPT_NAME /iApp/Service.asmx
> SERVER_NAME www.MyApplicationServer.com
> SERVER_PORT 80
> SERVER_PORT_SECURE 0
> SERVER_PROTOCOL HTTP/1.1
> SERVER_SOFTWARE Microsoft-IIS/7.0
> URL /iApp/Service.asmx
> HTTP_CACHE_CONTROL private
> HTTP_CONTENT_LENGTH 367
> HTTP_CONTENT_TYPE application/soap+xml; charset=utf-8
> HTTP_ACCEPT_ENCODING gzip
> HTTP_HOST www.MyApplicationServer.com
> HTTP_USER_AGENT Google OpenSocial agent (http://www.google.com/
> feedfetcher.html)
>
> *****
>
> On Sep 26, 2:11 am, Jason <[EMAIL PROTECTED]> wrote:
>
> > Yes, Raman's right again. Requests are not encrypted; the only
> > difference between unsigned and signed requests are the extra
> > parameters that are passed -- signed requests have a signature
> > attached as well as extra arguments identifying the container and
> > owner ID plus a few others.
>
> > - Jason
>
> > On Sep 24, 3:10 am, Raman <[EMAIL PROTECTED]> wrote:
>
> > > HiAkash
>
> > > No, the communication is not over SSL (as far as i know).
> > > Plus, orkut add a lot of GET parameters such as opensocial_owner_id,
> > > oauth_nonce, etc..
>
> > > Just to make sure you ain't doing anything wrong..
>
> > > Use this code on client
>
> > > /**
> > > * Perform remote server requests. The requests is signed by the
> > > container.
> > > * @function
> > > * @param {String} url
> > > * URL containg the get and post parameters to which the request is to be
> > > made.
> > > * @param {Function} [callback]
> > > * Function to call back when a response is received by the server.
> > > * @example
> > > * call("http://www.sampleserver.sample?key1=value1&key2=key2=value2"); //
> > > key1 and key2 are passed as GET parameters.
> > > * call("http://www.sampleserver.sample|key1=value1&key2=key2=value2"); //
> > > key1 and key2 are passed as POST parameters.
> > > * call("http://www.sampleserver.sample?key1=value1|key2=key2=value2"); //
> > > key1 is passed as a GET parameter and key2 is passed as a post parameter.
> > > */
> > > function call (url, callback)
> > > {
> > > var params = {};
> > > params[gadgets.io.RequestParameters.AUTHORIZATION] =
> > > gadgets.io.AuthorizationType.SIGNED;
> > > // Request should be signed by the container.
>
> > > // URL contains post parameters, post paramters are separated by a '|'
> > > (without quotes) from the main URL.
> > > if (url.indexOf("|") -1)
> > > {
> > > // tell container its a POST request.
> > > params[gadgets.io.RequestParameters.METHOD] =
> > > gadgets.io.MethodType.POST;
> > > var urls = url.split("|");
> > > url = urls[0];
> > >
>
> ...
>
> read more »
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Orkut Developer Forum" group.
To post to this group, send email to opensocial-orkut@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/opensocial-orkut?hl=en
-~----------~----~----~----~------~----~------~--~---