Removing oauth_token from request header in Scribe

Question

We're trying to connect with another company's custom API which uses two-legged OAuth to authenticate a request and send us a response.

At the moment the code we have is sending a request but it's not being authenticated at the other end and so sending a UNAUTHORISED response.

The steps we have investigated so far:

• Connected to the remote site using an OAuth implementation in python using the same credentials.
• Asked the other company to compare our OAuth request with another that succeeds to see if there is a anything missing in ours.

After the second point above, the only difference between our request and another working request is that the oauth_token parameter is present in our request and not in others. Furthermore, he said they have an oauth_body_hash_value in most of their requests but that's not present in ours - although they do get working requests without it.

Is there a way to remove the oauth_token parameter in Scribe? Alternatively, is the oauth_body_hash_value always needed? Can a request work without?

I've included the code below, I am completely new to OAuth so please feel free to tell me if there's something else that's wrong.

Note that the TestAPI.class extends DefaultAPI10a and just returns "" for all three required methods.

public class TestImporter {

  private static final String REQ_URL   = "http://test.com/";

  private static final String KEY         = "KEY";
  private static final String SECRET      = "SECRET";

  // test variables
  private static final String VAR1        = "Test123";

  public static void main(String[] args) {

    OAuthService service = new ServiceBuilder()
                               .provider(TestAPI.class)
                               .apiKey(KEY)
                               .apiSecret(SECRET)
                               .build();
    Token token = new Token("", "");
    OAuthRequest request = new OAuthRequest(Verb.GET, REQ_URL + VAR1 + "/");
    service.signRequest(token, request);
    Response response = request.send();
    System.out.println(response.getBody());

  }

}

Answer 1

It turns out that when we thought we were sending a fully formed HTTP GET request, we weren't.

The library was adding all of the information to the header (where we were getting our information from), but not adding any oauth information to the request Url. I can only assume it's to do with us using two-legged authorisation (hence the empty Token).

By copying the map of oAuthParameters into queryStringParameters, it then allowed the Url to be formed correctly.

Answer 2

Regarding your own answer seems that what you want to do is put the signature in the querystring and not use the Authorization header.

This, though valid is not recommended. Anyway if you really need to do it, there's a way of creating the OAuthService to "sign" in the querystring:

ServiceBuilder()
  .provider(TestAPI.class)
  .apiKey(KEY)
  .apiSecret(SECRET)
  .signatureType(SignatureType.QueryString)
  .build();

Answer 3

Assuming their implementation is not broken, it should not matter that you have 'extra' OAuth headers included. Having said that, the oauth_token header is not optional (I assume you are communicating using OAuth 1.0). This header should contain the access token for the User. In your example you show this token as being blank, which is quite odd!

Now assuming for some reason that it is valid to send blank 'usernames' to this third party system, you will want to make sure that your OAuth signature is matching on both sides (yours and the other companies). Use a protocol sniffer to capture the value of the oauth_signature header, then ask your third party to verify that they generate a signature which is the same. If not then you probably have a signature hashing problem.