cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <sberyoz...@gmail.com>
Subject Re: OAuth 1.0 And Signature With Query Params
Date Fri, 31 Jan 2014 18:37:19 GMT
Hi
On 31/01/14 18:25, icoleman wrote:
> I have a problem that has been plaguing me for several days now and was
> hoping someone had run across it before.
>
> I have a provider implemented with Spring 3 & CXF 2.6.11. I have a consumer
> that's a standalone Java application making requests to the provider. The
> OAuth 1.0 Authorization headers on the client are being generated by
> OAuthClientUtils.createAuthorizationHeader(consumer, token, httpMethod,
> uri);
>
> So far so good. Everything works fine so long as there are no query
> parameters on the URL.
>
> So if the request URL is "http://foo.com/api/83382" then all is well.
>
> If the request URL is "http://foo.com/api/83382?scope=all" the signature
> validation on the provider fails. After tracing through
> SimpleOAuthValidator.validateSignature(..) I found that the Authorization
> signature on the client is using the full URL with query parameters to
> generate the signature, but when SimpleOAuthValidator generates the base
> string for signature validation, the query parameters are not used (only the
> URI).
>
> I was able to get the SimpleOAuthValidator to validate the signature created
> by OAuthClientUtils by overriding SimpleOAuthValidator, and reassembling the
> "original" URI. But to do this I had to do some voodoo to get
> HttpServletRequest.getRequestURL() and append the
> httpServletRequest.getQueryString() to it.
>
> With this hack, the signature created by OAuthClientUtils will now be
> validated by SimpleOAuthValidator. Obviously, that can't possibly be
> "normal", right?
>
Sure, this needs to be fixed - I'll look into it next week

> To make matters worse, I've had no luck whatsoever in getting a generic REST
> client (e.g. REST Console for Chrome) to successfully authorize a request
> against the provider. It fails with a oauth_problem: signature_invalid every
> single time.
>
Can you give me a favor and experiment further with it ? Can we expect 
the console affecting the signature somehow ? What about curl ?

Cheers, Sergey

> I'm using CXF 2.6.11 (but have used 2.7.8 with similar results).
>
> Any help would be sincerely appreciated!
>
> Thanks,
>
> --Ian
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/OAuth-1-0-And-Signature-With-Query-Params-tp5739357.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>


-- 
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Blog: http://sberyozkin.blogspot.com

Mime
View raw message