“Invalid signature”: oAuth provider with Django-piston revisited using Scribe as a client

StackOverflow https://stackoverflow.com/questions/11181276

Domanda

So while working through an implementation of OAuth using Django-Piston I encountered the error mentioned here: "Invalid signature": oAuth provider with Django-piston

The solutions posted previously were not working for me so I began digging deeper into both Piston(https://bitbucket.org/jespern/django-piston/overview) and Scribe (https://github.com/fernandezpablo85/scribe-java).

It turns out that when signing a Scribe request with a JSON String payload, only the OAuth parameters are actually signed. This causes Piston to fail signature validation as Piston signs all of the parameters in the payload in addition to the OAuth parameters.

I was able to modify Piston to only sign the OAuth parameters and everything is now working fine. Being a bit new to OAuth I was not sure if the is the correct fix, one alternative would be to modify Scribe to sign the payload content as well (or perhaps append each parameter in the payload rather than attaching it as a String).

Does anyone have insight into the proper way to address this issue?

È stato utile?

Soluzione

The OAuth spec doesn't say anything about payload (not parameters). Some providers do sign it but that's up to them. Not signing the body contents (xml, json, etc) in Scribe it's a design decision and it's not going to change.

Altri suggerimenti

In case I made the correct decision here is my fix for Piston: in class OAuthRequest(object) add this method:

    def get_oauth_parameters(self):
    """Get any OAuth parameters."""
    parameters = {}
    for k, v in self.parameters.iteritems():
        # Ignore oauth parameters.
        if k.find('oauth_') > -1:
            parameters[k] = v
    return parameters

and modify this one to call the new method:

    def get_normalized_parameters(self):
    """Return a string that contains the parameters that must be signed."""
    params = self.get_oauth_parameters()
    try:
        # Exclude the signature if it exists.
        del params['oauth_signature']
    except:
        pass
    # Escape key values before sorting.
    key_values = [(escape(_utf8_str(k)), escape(_utf8_str(v))) \
        for k,v in params.items()]
    # Sort lexicographically, first after key, then after value.
    key_values.sort()
    # Combine key value pairs into a string.
    return '&'.join(['%s=%s' % (k, v) for k, v in key_values])
Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top