On Tue, Mar 24, 2009 at 11:16 PM, Robson Dantas <biu.dan...@gmail.com>wrote:
> Ok. > > That one was really difficult to find :D > > Shall I fill out a bug ? > Please, that would be great > > --Robson > > 2009/3/24 Chris Chabot <chab...@google.com> > > > Awesome feedback Robson, thanks for that! > > > > I'll make sure to take a look at it soon, the trunk is known to be a bit > > unstable at the moment but signed fetching shouldn't really have been > > affected, so good to know it sometimes trips. > > > > -- Chris > > > > On Tue, Mar 24, 2009 at 10:54 PM, Robson Dantas <biu.dan...@gmail.com > > >wrote: > > > > > Hey Guys, > > > > > > I found the problem. Let me explain what´s going on: > > > > > > Opening /src/gadgets/oauth/OAuth.php, function > > get_signature_base_string(), > > > the function $this->get_normalized_http_method() is returning "", while > > > OAuth returns "GET" or "POST". > > > > > > Digging a bit more, I discovered that Shindig is using the function > > > OAuthRequest::from_consumer_and_token, passing $http_method as "". > > > > > > Looking over the signed request example described on opensocial wiki : > > > http://wiki.opensocial.org/index.php?title=Validating_Signed_Requests, > > > the > > > function called is OAuthRequest::from_request, which initializes > > > $http_method with *...@$http_method or $http_method = > > > $_SERVER['REQUEST_METHOD'];* > > > > > > There´s one string "GET" , being appended on base string, and then the > > > signature is generated. It doesn´t happen on Shindig and the base > strings > > > are differents, so it will always return FALSE. > > > > > > I´ve patched my code to make it work, but dont know for sure, who´s > > > responsible for the fault. > > > > > > Any comments ? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 2009/3/24 Robson Dantas <biu.dan...@gmail.com> > > > > > > > Hi Guys! > > > > > > > > After reading shindig/php/certs/README, i tried to setup signed > > requests > > > > using shindig+partuza. I´m using windows XP, wamp stack (php 5.2.8, > > > apache > > > > 2.2), latest svn version of shindig and partuza, and openssl for > > windows > > > to > > > > generate the keys (http://www.openssl.org/related/binaries.html). > > > > > > > > Everything worked fine, except the key validation. I´m using OAuth > rev > > > 526 > > > > to validate it but it´s not working. The same code validates Orkut > > signed > > > > requests. > > > > > > > > I´m feeling that the problem is related to key generation. Is that ok > > to > > > > use this utility ? I´m printing some results I got using firebug. > > > > > > > > http:\/\/127.0.0.1\/gadget/action.php?nocache=1237906077768": > > > > > > > > [oauth_nonce] => a4889f1b1fe3ea860fb751b612552f5a > > > > [oauth_timestamp] => 1237906077\n > > > > > > > > [oauth_consumer_key] => robson\n > > > > [container] => robson\n > > > > [action] => listUser\n > > > > [opensocial_owner_id] => 3\n > > > > [opensocial_viewer_id] => 3\n > > > > [opensocial_app_id] => 1\n > > > > > > > > [oauth_token] => \n > > > > [xoauth_signature_publickey] => http:\/\/shindig\/public.cer\n > > > > [oauth_signature_method] => RSA-SHA1\n > > > > [oauth_signature] => > > > > > > 1Gg1sFcVJKBOkuuFETlCeNarYCOGUb1\/omV5HokGpx9uS\/WyjB4L8I2AZBn2GMC53QjDBM9gdCV8E346GzEl2c1 > > > > > > > > > > > > > > +VrH4045ou728yd8ihHQRVVg8482I1FN9y5uz1Ks3RBomBu+hoSQa5Z3qKcCIurLdpluQGhJLmnNFzH\/mVO0=\n > > > > [nocache] => 1237906077768\n > > > > > > > > [rawpost] => \n > > > > [oauth_validation] => Failed > > > > > > > > > > > > Just to re-check: > > > > > > > > a) pointing the browser to http://shindig/public.cer, gives me my > > public > > > > certificate, generated by openssl. > > > > b) changing the private_keyphrase on container.php gives me an error > ( > > > > expected, of course) > > > > > > > > Tks, > > > > > > > > -Robson > > > > > > > > > >
