anish-adm / oauth-signpost Goto Github PK
View Code? Open in Web Editor NEWAutomatically exported from code.google.com/p/oauth-signpost
Automatically exported from code.google.com/p/oauth-signpost
What steps will reproduce the problem?
1. Create a netflix provider and consumer.
2. Call provider.retrieveRequestToken( consumer, {OAuth.OUT_OF_BAND|
callbackurl} );
What is the expected output? What do you see instead?
I would expect to get back a proper authorization URL to present the user
to use in a web browser. Instead, I receive:
<status>
<status_code>
400
</status_code>
<message>
oauth_consumer_key is missing
</message>
</status>
What version of the product are you using? On what operating system?
1.2, Windows 7. JDK 1.6.0_18.
Please provide any additional information below.
This is either an issue with Netflix's OAuth implementation or an issue
with SignPost. I haven't read the OAuth spec, so I'm unsure which is
incorrect. Regardless, if other services don't break if the consumer key
is explicitly passed as a parameter, that should probably be default
behavior.
Original issue reported on code.google.com by [email protected]
on 12 Mar 2010 at 9:19
What steps will reproduce the problem?
1. Add signpost-core-1.2.1.1 and signpost-commonshttp4-1.2.1.1 to build
path
2. Set consumer tokenkey and secret
3. Attemp to get OauthUrl to allow protected access
What is the expected output? What do you see instead?
W/System.err(32162): Caused by:
oauth.signpost.exception.OAuthCommunicationException: Communication with
the service provider failed:
https://www.google.com/accounts/OAuthGetRequestToken?
scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fbuzz
W/System.err(32162): at
oauth.signpost.AbstractOAuthProvider.retrieveToken(AbstractOAuthProvider.ja
va:214)
W/System.err(32162): at
oauth.signpost.AbstractOAuthProvider.retrieveRequestToken(AbstractOAuthProv
ider.java:69)
W/System.err(32162): at
org.lxtnow.testOauth.testoauth.onCreate(testoauth.java:62)
W/System.err(32162): ... 13 more
W/System.err(32162): Caused by: java.io.FileNotFoundException:
https://www.google.com/accounts/OAuthGetRequestToken?
scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fbuzz
W/System.err(32162): at
org.apache.harmony.luni.internal.net.www.protocol.http.HttpURLConnection.ge
tInputStream(HttpURLConnection.java:1061)
W/System.err(32162): at
org.apache.harmony.luni.internal.net.www.protocol.https.HttpsURLConnection.
getInputStream(HttpsURLConnection.java:252)
W/System.err(32162): at
oauth.signpost.basic.HttpURLConnectionResponseAdapter.getContent(HttpURLCon
nectionResponseAdapter.java:18)
W/System.err(32162): at
oauth.signpost.AbstractOAuthProvider.handleUnexpectedResponse(AbstractOAuth
Provider.java:228)
W/System.err(32162): at
oauth.signpost.AbstractOAuthProvider.retrieveToken(AbstractOAuthProvider.ja
va:189)
W/System.err(32162): ... 15 more
D/AndroidRuntime(32162): Shutting down VM
W/dalvikvm(32162): threadid=3: thread exiting with uncaught exception
(group=0x4001e170)
E/AndroidRuntime(32162): Uncaught handler: thread main exiting due to
uncaught exception
What version of the product are you using? On what operating system?
version 1.2.1.1 for both core and commonshttp4
Also tried bundled version from OAuthGoogleExample from Git repository
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 29 May 2010 at 1:41
I'd like to be able to use Signpost to authenticate against Facebook new Graph
API, which uses
OAuth 2.0. I'm guessing that there isn't support in Signpost for OAuth 2.0. I
also understand that
the standard is evolving. That said, I'm willing to take a first-stab at
providing OAuth 2.0 support in
signpost, with the understanding that support may need to evolve with the
standard.
I opened this bug primarily to get your thoughts on OAuth 2.0 and Signpost.
Original issue reported on code.google.com by [email protected]
on 7 May 2010 at 5:56
When posting to twitter using code similar to the following:
----------------------------
final URL url = new URL("http://twitter.com/statuses/update.xml");
final HttpURLConnection request = url.openConnection();
request.setRequestMethod("POST");
request.setRequestProperty("Content-Type",
"application/x-www-form-urlencoded");
request.setRequestProperty("Content-Length", "" +
Integer.toString(params.getBytes().length));
request.setRequestProperty("Content-Language", "en-US");
request.setUseCaches(false);
request.setDoInput(true);
request.setDoOutput(true);
consumer.sign(request);
try {
final DataOutputStream out = new
DataOutputStream(request.getOutputStream());
out.writeBytes("status=test");
out.flush();
out.close();
} catch (IOException ex) { ex.printStackTrace(); }
----------------------------
(The actual code can be found here:
http://git.dmdirc.com/cgit.cgi/client-shane/tree/src/com/dmdirc/addons/parser_tw
itter/api/TwitterAPI.java?h=twitter
- setStatus(), postXML(), getXML() and signURL())
This gives the output:
----------------------------
<?xml version="1.0" encoding="UTF-8"?>
<hash>
<request>/statuses/update.xml</request>
<error>Incorrect signature</error>
</hash>
----------------------------
Everything works fine when using GET.
Original issue reported on code.google.com by [email protected]
on 5 Aug 2009 at 12:51
What steps will reproduce the problem?
1. use 1.2.1.1 of oauth and do some setup using the api.login.yahoo.com
oauth server
create consumer and provider
2. Get the request auth url
provider.retrieveRequestToken(...)
3. Run code on an android phone
What is the expected output? What do you see instead?
I was expecting the auth url (the code works on my laptop), but I get this
error
E/VerificationActivity( 1357):
oauth.signpost.exception.OAuthCommunicationException: Communication with
the service provider failed: null
...
E/VerificationActivity( 1357): Caused by: java.lang.NullPointerException
E/VerificationActivity( 1357): at
org.apache.harmony.luni.internal.net.www.protocol.http.HttpURLConnection.re
adln(HttpURLConnection.java:1178)...
What version of the product are you using? On what operating system?
1.2.1.1 The code works on Redhat, windows, and Ubuntu, but failed me when
I ran on ether an android emulator or an android phone
Please provide any additional information below.
The problem seems to be an issue with what yahoo returns though i dont know
whats happening. other sites work alright.
Thanks for taking the time to look at this issue.
Original issue reported on code.google.com by [email protected]
on 8 May 2010 at 5:55
Attachments:
In order to do get request token and get access token in different threads,
it is necessary to save the provider object. Having a serializable instance
simplifies storing and re-creation.
Original issue reported on code.google.com by [email protected]
on 1 Jul 2009 at 9:41
The front page mentions that:
"[OAuthConsumer and OAuthProvider] are also serializable, so you can
persist and restore them later."
I found that to not be the case. When I restore an OAuthConsumer to sign a
request, it will fail with this traceback:
java.lang.NullPointerException
at oauth.signpost.signature.OAuthMessageSigner.base64Encode
(OAuthMessageSigner.java:66)
at oauth.signpost.signature.HmacSha1MessageSigner.sign
(HmacSha1MessageSigner.java:55)
at oauth.signpost.AbstractOAuthConsumer.sign
(AbstractOAuthConsumer.java:97)
at oauth.signpost.AbstractOAuthConsumer.sign
(AbstractOAuthConsumer.java:107)
This is because OAuthMessageSigner.base64 is transient and thus wasn't
serialized.
Original issue reported on code.google.com by [email protected]
on 14 Apr 2010 at 4:32
When obtaining an Unauthorized Request Token, the request must be signed
http://oauth.net/core/#auth_step1) However, at that point a Token Secret is not
available. The
specification allows for this in section 9.2. HMAC-SHA1
(http://oauth.net/core/#anchor16) by
not requiring a Token Secret (the implication is that it's the url-encoded
consumer secret
followed by an "&" and nothing else)
HmacSha1MessageSigner.java:25
String keyString = OAuth.percentEncode(getConsumerSecret()) + '&' +
OAuth.percentEncode(getTokenSecret());
Which depends on oauth.signpost.OAuth.percentEncode, which depends on
com.google.gdata.util.common.base.PercentEscaper, which fails with an NPE if
the Token Secret
is null.
A quick fix is to add a test in oauth.signpost.OAuth.percentEncode and just
return an empty
string in the parameter is null.
With that fix, I could access Twitter using OAuth.
Original issue reported on code.google.com by [email protected]
on 7 May 2009 at 10:47
What steps will reproduce the problem?
1. Create a httpurlconnection for posting to a url endpoint
2. the getMessagePayload() method on httprequestadaptor will return null
3. SignatureBaseString.java will be used when signing the request. the
following lines of code are executed:
if (contentType != null && contentType.equals(OAuth.FORM_ENCODED)) {
InputStream payload = request.getMessagePayload();
parameters.addAll(OAuth.decodeForm(payload));
}
payload will be null as described in #2, and will throw a null error when
OAuth.decodeForm(payload) is called.
What is the expected output? What do you see instead?
A null pointer will not be thrown
What version of the product are you using? On what operating system?
1.1
Please provide any additional information below.
More code available upon request.
Example below of signing post request httpurlconnection
HttpURLConnection request = (HttpURLConnection)
url.openConnection();
request.setRequestMethod("POST");
request.setAllowUserInteraction(false); // you may not ask the user
request.setDoInput(true);
request.setDoOutput(true);
request.setUseCaches(false);
// the Content-type should be default, but we set it anyway
request.setRequestProperty("Content-Type",
"application/x-www-form-urlencoded");
// the content-length should not be necessary, but we're cautious
request.setRequestProperty( "Content-length",
Integer.toString(queryParams.length()));
consumer.sign(request);
//get the output stream to POST our form data
OutputStreamWriter wr = new
OutputStreamWriter(request.getOutputStream());
wr.write(queryParams);
wr.flush();
wr.close();
Original issue reported on code.google.com by [email protected]
on 2 Oct 2009 at 12:55
What steps will reproduce the problem?
1. Go through an entire request/access token against a python-oauth server.
2. Use the access token to try to access something.
3. The python-oauth library (the reference implementation for OAuth) barfs
because the signature is "IYALjIZeGwFri8xtv4uIaDBO3Ow%3D%0D%0A" which
decodes to 'IYALjIZeGwFri8xtv4uIaDBO3Ow=\r\n'.
What is the expected output? What do you see instead?
'IYALjIZeGwFri8xtv4uIaDBO3Ow='
What version of the product are you using? On what operating system?
Latest from svn.
Please provide any additional information below.
Change line 49 to be:
return base64Encode(mac.doFinal(text)).trim();
And it all works.
Original issue reported on code.google.com by [email protected]
on 7 Oct 2009 at 9:57
What steps will reproduce the problem?
Current signing options:
1A. consumer.sign(HttpRequest request) -> HTTPRequest
1B. consumer.sign(Object request) -> HTTPRequest
1C. consumer.sign(String url) -> String (Url+query params)
What is the expected output? What do you see instead?
1D. consumer.sign(String url) -> Map<String,String>
Having a new sign method returning a map with all oauth params would enable
simple usage/integration with xoauth SASL or other non HTTP transport
calls.
Original issue reported on code.google.com by [email protected]
on 11 Apr 2010 at 10:52
What steps will reproduce the problem?
1. use the java code example for fireeagle
2. try to update user-position
What is the expected output? What do you see instead?
Error: 400 bad request
What version of the product are you using? On what operating system?
I use android 1.5
Original issue reported on code.google.com by [email protected]
on 10 Mar 2010 at 4:09
First off, I'd like to say thank you to Mattias for a truly useful contribution
to the java community. I've used signpost
(mostly 1.1) against three APIs (tripit, opentable, and now digg), and while
it's often required some heavy modification
and experimentation, I've generally been successful.
But that being said, then along came Digg. I spent two days trying to get
signpost 1.2 working with the Digg API, and
was about to throw in the towel before I finally found this thread from last
month:
http://groups.google.com/group/diggapi/browse_thread/thread/51472d4c8ede6c8b/832
b74a731245824
If you follow the recommendations in all three pastie.org posts, then make a
few tweaks to fix obvious errors, then set
the Content-Type to OAuth.FORM_ENCODED, the proposed solution will work.
But it requires overloading FIVE signpost classes, and copying and pasting a
majority of code from each one.
Surely there must be a way to access the Digg API from signpost that doesn't
require overloading so many classes, let
alone copying and pasting so much code.
As far as I can tell, Digg doesn't seem to be violating the oauth 1.0a
specification, so it would be nice if signpost could
handle this api gracefully.
Thanks again for the great work!
Original issue reported on code.google.com by [email protected]
on 10 Mar 2010 at 1:15
What steps will reproduce the problem?
1. When exchanging a request token for an access token Signpost generates
an URL like this
http://localhost:8080/userservices/oauth/access_token?oauth_token=a4d14ddb-3eaf-
4706-8693-eaabc2e21c84&oauth_token_secret=lHX2uM6CM77eqPTzMniigIoRWCpSkAYwwXBq/7
FOyCQEcu2jKQVs4Rp9k7ADQEG24MLByTnOKMXNZOQXiWZH9YKvPuJCEw4OH/ik3kN4wy0=
that is, outh_token_secret is sent to OAuthProvider - this is not needed
and it is a security risk.
Further, having aouth_token encoded as part of the Http GET URL is in
contradiction with what is stated in the Signpost documentation that says
that OAuth parameters are sent as part of the Http Authorize header.
And yes, oauth_token is also sent as part of the Authorize header! This
means that the signature base to used to produces the signature looks like
this:
GET&
http%3A%2F%2Flocalhost%3A8080%2Fuserservices%2Foauth%2Faccess_token&
oauth_consumer_key%3Dmyphone%26
oauth_nonce%3D1242810500517710000%26
oauth_signature_method%3DHMAC-SHA1%26
oauth_timestamp%3D1242810500%26
oauth_token%3D82afaed0-42ea-4129-a914-2f53d42e7346%26
oauth_token%3D82afaed0-42ea-4129-a914-2f53d42e7346%26
oauth_token_secret%3DjOvfP3mjn7z%252FDJXVaaMuLwoLRR2EVxfFnFEbbLBlhbZMBBweD2hSREt
UghfL1LFVl7QbpNvKpb%2520926oeJR3ZlzdtGuaAT8YCvSrQ7IVXlxM%253D%26
oauth_version%3D1.0
Note that oauth_token occurrs twice.
What is the expected output? What do you see instead?
I would propose to
A) remove the oauth_token_secret from URL
B) remove the oauth_token from URL
It is enough to generate an URL like this:
http://localhost:8080/userservices/oauth/access_token
What version of the product are you using? On what operating system?
1.0-SNAPSHOT on Mac OSX
Please provide any additional information below.
I encountered this problem when I got 401 for this request, my Provider
being developed with Spring Oauth/Security. Spring drops the double
oauth_token and uses this signature base string
GET&
http%3A%2F%2Flocalhost%3A8080%2Fuserservices%2Foauth%2Faccess_token&
oauth_consumer_key%3Dmyphone%26
oauth_nonce%3D1242810500517710000%26
oauth_signature_method%3DHMAC-SHA1%26
oauth_timestamp%3D1242810500%26
oauth_token%3D82afaed0-42ea-4129-a914-2f53d42e7346%26
oauth_token_secret%3DjOvfP3mjn7z%252FDJXVaaMuLwoLRR2EVxfFnFEbbLBlhbZMBBweD2hSREt
UghfL1LFVl7QbpNvKpb%2520926oeJR3ZlzdtGuaAT8YCvSrQ7IVXlxM%253D%26
oauth_version%3D1.0
Original issue reported on code.google.com by [email protected]
on 20 May 2009 at 12:22
What steps will reproduce the problem?
When you try to sign a MultipartEntity with the sign() method, it throws an
exception because MultipartEntity doesn't support getOutputStream().
What is the expected output? What do you see instead?
Not to throw the exception if you are trying to sign MultipartEntity requests.
What version of the product are you using? On what operating system?
signpost-core-1.1-SNAPSHOT.jar, signpost-commonshttp4-1.1-SNAPSHOT.jar on
Windows XP.
Please provide any additional information below.
Not applicable.
Original issue reported on code.google.com by [email protected]
on 23 Aug 2009 at 2:13
It looks like the callback parameter given to retrieveRequestToken in the
DefaultOAuthProvider is hex encoded twice, resulting in an incorrect signature.
A first time at the line 70 of the class:
retrieveToken(OAuth.addQueryParameters(requestTokenEndpointUrl,
OAuth.OAUTH_CALLBACK, OAuth.percentEncode(callbackUrl)));
And the second time a few steps later in the addQueryParameters method.
What version of the product are you using? On what operating system?
SVN version on android.
Original issue reported on code.google.com by benoit.garret
on 11 Jul 2009 at 5:20
What steps will reproduce the problem?
1. Update TwitterAndSignpost sample application to work with signpost 1.2.1.1
2. Modify sample application to perform signing and executing HTTP requests
in loop (e.g. 20 times)
3. Incidentally (2-3 requests on 20) application receives from Twitter
HTTP/1.1 401 Unauthorized,
{"request":"/1/account/verify_credentials.json","error":"Invalid / used nonce"}
4. I attached my sample application used in tests.
What is the expected output? What do you see instead?
This error should never appear.
What version of the product are you using? On what operating system?
Signpost 1.2.1.1, Android 1.5
Please provide any additional information below.
This problem doesn't appear in version 1.1. I compared oauth_nonce value
send by both versions and they are shorter in previous version.
I fixed that problem by changing nonce generator to use Integer instead of
Long (generate shorter oauth_nonce). It helps with Twitter.
Original nonce generator (function from
/signpost-core/src/main/java/oauth/signpost/AbstractOAuthConsumer.java):
protected String generateNonce() {
return Long.toString(new Random().nextLong());
}
Generator with fix:
protected String generateNonce() {
return Integer.toString(new Random().nextInt());
}
Original issue reported on code.google.com by [email protected]
on 21 Apr 2010 at 11:53
What steps will reproduce the problem?
1. Using the Netflix example at http://github.com/kaeppler/signpost-
examples/tree/master/OAuthNetflixExample/src
2. Specifically, the call to provider.retrieveRequestToken(consumer,
callBackUrl);
What is the expected output? What do you see instead?
I expect to get a link to redirect the user to, I do not get anything and
recieve an OAuthCommunicationException. A stacktrace says that this is due
to:
java.io.FileNotFoundException: http://api.netflix.com/oauth/request_token
By ARP-poisoning my phone and using Wireshark I can see that this is
because retrieveRequestToken uses POST when according to the Netflix API I
should be using GET.
What version of the product are you using? On what operating system?
Android 1.6
Please provide any additional information below.
Does the Netflix example code work? Should I just create my own helper
method to make the call through GET and rely for everything else on oauth-
signpost?
Original issue reported on code.google.com by [email protected]
on 20 Apr 2010 at 12:24
When I sign HttpUrlConnection witch has request method set to 'PUT', I get
'401 Authorization Required' response from server. This happens with
signpost-core-1.2, signpost-core-1.2.1, signpost-core-1.2.1.1
With signpost-core-1.1 it works correctly.
Other request methods works ok with all versions of library.
I'm using this library to communicate with http://blip.pl (but it's in Polish
so I think that doesn't help)
Original issue reported on code.google.com by [email protected]
on 23 Mar 2010 at 7:43
What steps will reproduce the problem?
1. Add Aug 31 snapshot to build path (java)
2. Clear any existing user data / tokens
3. Attempt to get login url and request token
Kaboom!
4. Switch build path to use Julyu snapshot
5. attempt to get login url and r. token
Success!
What is the expected output? What do you see instead?
Expected: the Login Url with parameters, and request token set.
Instead: I get an exception
oauth.signpost.exception.OAuthCommunicationException: Communication
with the service provider failed: Received authentication challenge is
null
at oauth.signpost.basic.DefaultOAuthProvider.retrieveToken
(DefaultOAuthProvider.java:152)
at oauth.signpost.basic.DefaultOAuthProvider.retrieveRequestToken
(DefaultOAuthProvider.java:69)
What version of the product are you using? On what operating system?
Aug 31 Snapshot (kaboom) vs July Snapshot(works fine) - Android
Please provide any additional information below.
This can be consistently resolved / repeated by switching my build path
info to use the different snapshots. Another user has reported a similar
error on the groups.
Once I have the access token stored locally, either jar works just fine.
The issue is limited to the getToken method of the provider.
Original issue reported on code.google.com by OlliTech
on 16 Oct 2009 at 12:56
Java 1.6 class files were reported to cause problems with Android.
Original issue reported on code.google.com by [email protected]
on 5 Jun 2009 at 8:00
Would be nice to add this static method to OAuthConsumer or some other
class, it's a quick hack to allow POST url-encoded while using java.net
( it can also be used in user code )
public static void signAndSend(OAuthConsumer consumer,
HttpURLConnection req, final byte[] payload)
throws ...
{
HttpRequest spReq = new HttpURLConnectionRequestAdapter(req) {
public InputStream getMessagePayload() {
return new ByteArrayInputStream(payload);
}
};
consumer.sign(spReq);
OutputStream os = req.getOutputStream();
os.write(payload);
os.close();
}
A better option would be to refactor the interfaces so signAndSend() with
payload is common to all http client wrappers.
Original issue reported on code.google.com by costin
on 27 May 2010 at 5:14
If I don't care about specific error conditions, I'd like to write a simplified
`catch` (for a single type of OAuth exception).
Thoughts?
Original issue reported on code.google.com by [email protected]
on 5 Jun 2009 at 7:00
What steps will reproduce the problem?
1. Run the attached file after substituting your API consumer key and
secret for LinkedIn.
2. The example is taken from the linked in forums and the majority of
LinkedIn API work with signpost-core-1.2 except for the one mentioned in
the example.
3. As far as I can guess, when you supply two parameters with the same name
(type parameter in this example), the signpost library throws 401
unauthorized error.
What is the expected output? What do you see instead?
I should get 200 response with a list of all the network updates. Instead I
get a 401 response with the error message. I have also tried
consumer.setCompatibilityModeForEmptyTokens(true); to no avail.
What version of the product are you using? On what operating system?
I am using signpost-core-1.2.jar. It was working correctly on a snapshot
version signpost-core-1.1-SNAPSHOT.jar.
Please provide any additional information below.
You can get the API key from linked in from the url:
https://www.linkedin.com/secure/developer
Also see http://developer.linkedin.com/index.jspa for details about
LinkedIn OAuth.
Original issue reported on code.google.com by nabeelmukhtar
on 2 Feb 2010 at 6:05
What steps will reproduce the problem?
1. Run the command
svn checkout http://oauth-signpost.googlecode.com/svn/trunk/
oauth-signpost-read-only
2.
3.
What is the expected output? What do you see instead?
Expected output
Source code
Actual output
svn: Server sent unexpected return value (400 Bad Request) in
response to REPORT request for '/svn/!svn/vcc/default'
What version of the product are you using? On what operating system?
I am not yet using the product. I am trying to download the source so that
i can use
Please provide any additional information below.
I am using SVN on ubuntu
Connected to internet through proxy
I have attached the enthreal log of bad request for your reference
Original issue reported on code.google.com by [email protected]
on 7 Dec 2009 at 9:05
Attachments:
What steps will reproduce the problem?
I am creating the request tokens out-of-band. The DefaultOAuthProvider
will set isOAuth10a to true in retrieveRequestToken() and I get the
consumer token and token secret, which I store for later use.
I need to reconstitute the OAuthProvider at a later time to invoke
retrieveAccessToken() with the PIN that the user enters. I can create the
DefaultOAuthConsumer and initialize the token and token secret. The
OAuthProvider, though, has isOAuth10a set to false by default and there is
no way to set it to true (no setter method and it is a private property).
As such, I always get an HTTP 401 error.
In Eclipse, I can set a breakpoint before the call to retrieveAccessToken()
and reach behind the scenes and set isOAuth10a to true before the call is
made and I get a successful HTTP 200 return.
What is the expected output? What do you see instead?
I would expect there to be some way to programatically initialize
isOAuth10a to true.
I could create my own implementation that is essentially a copy of
DefaultOAuthProvider, but with a setter for isOAuth10a; however, I'd rather
not replicate code and have to keep them in sync.
What version of the product are you using? On what operating system?
snapshot-core-1.1-SNAPSHOT downloaded 2009.06.24
Please provide any additional information below. Here is the example
Twitter code modified to emulate complete reconstitution of the consumer
and provider.
public static void main(String[] args) throws Exception {
OAuthConsumer consumer = new DefaultOAuthConsumer(
CONSUMER_KEY,
CONSUMER_SECRET,
SignatureMethod.HMAC_SHA1);
OAuthProvider provider = new DefaultOAuthProvider(consumer,
"http://twitter.com/oauth/request_token",
"http://twitter.com/oauth/access_token",
"http://twitter.com/oauth/authorize");
System.out.println("Fetching request token from Twitter...");
// we do not support callbacks, thus pass OOB
String authUrl = provider.retrieveRequestToken(OAuth.OUT_OF_BAND);
System.out.println("Request token: " + consumer.getToken());
System.out.println("Token secret: " + consumer.getTokenSecret());
System.out.println("Now visit:\n" + authUrl
+ "\n... and grant this app authorization");
System.out.println("Enter the PIN code and hit ENTER when you're
done:");
BufferedReader br = new BufferedReader(new
InputStreamReader(System.in));
String pin = br.readLine();
String requestToken = consumer.getToken();
String requestTokenSecret = consumer.getTokenSecret();
// Save the requestToken and requestTokenSecret away. Pretend the rest
// of this is a whole new thread with reconstituted consumer/provider.
System.out.println("Fetching access token from Twitter...");
OAuthConsumer consumer2 = new DefaultOAuthConsumer(
CONSUMER_KEY,
CONSUMER_SECRET,
SignatureMethod.HMAC_SHA1);
consumer2.setTokenWithSecret(requestToken, requestTokenSecret);
OAuthProvider provider2 = new DefaultOAuthProvider(consumer2,
"http://twitter.com/oauth/request_token",
"http://twitter.com/oauth/access_token",
"http://twitter.com/oauth/authorize");
// Here I can set a breakpoint in Eclipse, reach behind the scenes
// and set provider2's isOAuth10a to true and it will work
provider2.retrieveAccessToken(pin);
System.out.println("Access token: " + consumer.getToken());
System.out.println("Token secret: " + consumer.getTokenSecret());
URL url = new URL("http://twitter.com/statuses/mentions.xml");
HttpURLConnection request = (HttpURLConnection) url.openConnection();
consumer2.sign(request);
System.out.println("Sending request to Twitter...");
request.connect();
System.out.println("Response: " + request.getResponseCode() + " "
+ request.getResponseMessage());
}
Original issue reported on code.google.com by [email protected]
on 24 Jun 2009 at 9:01
Currently, AbstractOAuthProvider provides a retrieveRequestToken method
which passes the endpointUrl to retrieveToken if the provider is using
OAuth 1.0a. It seems that google requires a 'scope' parameter built into
the endpoint url in the exact same manner as what would be crafted by the
additionalParameters argument of
protected void retrieveToken(OAuthConsumer consumer, String
endpointUrl,
String... additionalParameters)
I propose that retrieveRequestToken be modified to accept a varargs
additionalParameters object to be passed to retrieveToken. This should be
backward compatibile with current code while extending the functionality
of the DefaultOAuthProvider implementation.
I can not make an argument AGAINST this functionality, as providers in the
future may do other dorking with the endpointUrls like google does now,
and this change would in no way break spec-correct oauth authorization.
If I have missed something here, please tell me. Currently, my solution is
to subclass DefaultOAuthProvider, but I feel like this functionality
should be default.
Thanks,
-Stefan
Original issue reported on code.google.com by [email protected]
on 24 Mar 2010 at 3:58
What steps will reproduce the problem?
1. Try signing an HttpUrlConnection object without setting token and token-
secret parameters (that would be the case for 2 legged scenario)
2. Check the signature base string
3. Check the generated OAuth signature
What is the expected output? What do you see instead?
Signature base string should include "auth_token=&" as per section 9.1.1.
of the OAuth specs. However, the auth_token is completely ignored due to
being empty (which will always be true for 2-legged scenario) and is
missing from the signature base string.
The oAuth signature generated as a result is wrong. As a verification, it
doesn't match the signature generated by the reliable online resource -
http://www.hueniverse.com/hueniverse/2008/10/beginners-gui-1.html
What version of the product are you using? On what operating system?
Latest as of yesterday (July 14, 2009)
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 14 Jul 2009 at 9:14
hello,
currently HttpURLConnectionRequestAdapter.setRequestUrl[1] did nothing, but
how about throw a RuntimeException?
[1] http://github.com/kaeppler/signpost/blob/master/signpost-
core/src/main/java/oauth/signpost/basic/HttpURLConnectionRequestAdapter.java
#L29
Original issue reported on code.google.com by [email protected]
on 31 May 2010 at 8:19
What steps will reproduce the problem?
1. Use signpost to integrate with Vimeo's API
2. Attempt to retrieve the initial request token / auth URL
What is the expected output? What do you see instead?
The error message from Vimeo says "401 Unauthorized - Invalid signature - The
oauth_signature passed was not valid"
What version of the product are you using? On what operating system?
We're building signpost from the 1.2.SNAPSHOT branch on github
(kaeppler-signpost-cfca5b4).
We're using signpost-core only, with the default provider and consumer.
We're building it with eclipse, and running it in Java 1.6, on Mac OS X
Please provide any additional information below.
Vimeo has pretty decent docs, although they seem somewhat oriented towards PHP
users
- http://vimeo.com/api/docs/advanced-api
- http://vimeo.com/api/docs/authentication
- http://vimeo.com/api/docs/oauth
We tried the new API for setSendEmptyTokens(boolean) with both true and false,
both resulted
in the same 401 error.
Also, just wanted to note that we've used identical code with signpost to
successfully integrate
with both Twitter and Google/YouTube (Thanks very much for a great library!).
So something
different is going on with Vimeo....
Original issue reported on code.google.com by [email protected]
on 27 Jan 2010 at 7:24
What steps will reproduce the problem?
1.trying to authorize with yahoo apis it replies with the service provider
failed:
https://api.login.yahoo.com/oauth/v2/get_request_token&oauth_consumer_key=dj0
yJmk9Rmt6SWVnMlFzTTZuJmQ9WVdrOU4yVlhjbmxoTm5NbWNHbzlOalV6TnpRME5qSS0mcz1jb25z
dW1lcnNlY3JldCZ4PTEz&oauth_signature=883723e79b1dd7affe3ea0389c3a391634fab160
?oauth_callback=oob
Original issue reported on code.google.com by [email protected]
on 1 Mar 2010 at 6:16
When using signpost-1.1 with commons-codec-1.4.jar against a server that
requires OAuth 1.0a (linkedin), all requests (i.e. simply getting a request
token) fail with 401 authorization errors:
oauth_problem="signature_invalid"
It works absolutely fine with commons-codec-1.3.jar. Something is wrong
only when using 1.4.
Original issue reported on code.google.com by [email protected]
on 29 Dec 2009 at 11:47
Signpost needs to be updated to reflect the changes imposed by OAuth Core
1.0a. The library must remain backwards compatible with 1.0 service providers.
Draft 3 of OAuth Core 1.0a spec:
http://oauth.googlecode.com/svn/spec/core/1.0a/drafts/3/
Seth Fitzsimmons was already so kind to contribute a patch which adds 1.0a
support:
http://github.com/mojodna/oauth-signpost/commit/0bc5a7bafc3c4829907d9c8033848bcc
e509a7af
What remains to do:
1) Patch trunk with Seth's changesets (or maybe open a branch for 1.0a?)
2) Write tests for 1.0a changes
3) Write tests that check whether Signpost works with both 1.0 and 1.0a
providers
Original issue reported on code.google.com by [email protected]
on 5 Jun 2009 at 8:20
What steps will reproduce the problem?
1. Run the attached file (this is a modified version of OAuthFireEagle
example but the urls modified to point to NetFlix which is a OAuth 1.0
compliant service provider).
2. If you run the attached version using June version found in
OAuthFireEagle example
(http://oauth-signpost.googlecode.com/files/OAuthFireEagleExample.zip ),
there is no issue but if you use 1.2 version you will get a 401 error.
I noticed this behavior in Android first where the result is pretty bad
(you get Received authentication challenge is null).
In the attached Java file, you have to replace consumer key and consumer
shared key with valid entries from NetFlix.
What is the expected output? What do you see instead?
What version of the product are you using? On what operating system?
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 13 Jan 2010 at 8:33
Attachments:
Signpost should support gzip encoding by default (for more effective use of
slow (cell) networks).
Original issue reported on code.google.com by [email protected]
on 9 Jun 2009 at 12:48
I Can't force url rewrite instead of HTTP Authorization.
According to the oAuth spec, anyone of the three methods for requesting
tokens can be followed.
Our servers support only URL Re-write but I can't seem to find a way of
enforcing this.
I digged in the code in HTTPURLConnectionRequestAdapter.java
public void setHeader(String name, String value) {
connection.setRequestProperty(name, value);
}
All this does is set the HTTP Authorization request property.
Is this a bug or the feature is not yet implemented?
Original issue reported on code.google.com by [email protected]
on 26 Apr 2010 at 9:19
What steps will reproduce the problem?
1.
I create a provider:
OAuthProvider provider = new DefaultOAuthProvider(consumer,
REQUEST_TOKEN_ENDPOINT_URL, ACCESS_TOKEN_ENDPOINT_URL,
AUTHORIZE_WEBSITE_URL);
where AUTHORIZE_WEBSITE_URL is:
"http://myaccount-nightly.us2.global.ad/userservices-myaccount/myaccount/confirm
_access?us_oauth_method=onestep
that is, it contains an extra parameter
2.
I get a request token
String authorizeRequestTokenUrl = provider.retrieveRequestToken(CALLBACK_URL);
The returned URL is
http://myaccount-nightly.us2.global.ad/userservices-myaccount/myaccount/confirm_
access?us_oauth_method=onestep?oauth_token=51895058-4178-4a89-9ead-6cd969691e47&
oauth_callback=http%3A%2F%2Fmy.domain.com
and it is incorrect, it contains two '?' because
DefaultOAuthProvider.retrieveRequestToken does not check the existence of
'?' in the URL.
3.
What is the expected output? What do you see instead?
DefaultOAuthProvider.retrieveRequestToken should check the existence of
parameters in the URL and if there is one then it should append '&' instead
of '?' as a starter for oauth parameters.
The OAuth spec 1.0, chapter 6.2.1 states that additional parameters are
accepted so Signpost should support those.
What version of the product are you using? On what operating system?
1.0-SNAPSHOT on Mac OSX
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 3 Jun 2009 at 12:54
Currently one must sign every request before sending. With HttpClient,
there is built-in support for adding new auth methods that should work with
OAuth. It shouldn't be difficult to create a wrapper for
CommonsHttpOAuthConsumer to implement org.apache.http.auth.AuthScheme.
Looking at existing AuthScheme implementations should help:
http://hc.apache.org/httpcomponents-client/httpclient/xref/org/apache/http/impl/
auth/
You need to implement AuthSchemeFactory but it doesn't do much more than
create AuthScheme instances. Then use a Credentials instance (you might
need to create your own subclass) to hold the consumer key/secret and Auth
Token/ secret token.
The processChallenge method of AuthScheme is only used to extract the
'realm' of a WWW-Authenticate header I think.
Original issue reported on code.google.com by [email protected]
on 5 May 2010 at 5:13
Wasn't able to find Javadocs for the library. Am I missing it or its not
available?
Original issue reported on code.google.com by [email protected]
on 25 Mar 2010 at 6:20
What steps will reproduce the problem?
Call retrieveAccessToken() on an OAuth provider, which expects POST.
(The one I'm testing with is not yet publicly available)
What is the expected output? What do you see instead?
Expected output is the access token, instead I receive an HTTP 405 (Method
Not Allowed)
What version of the product are you using? On what operating system?
1.2, both on Windows and in GAE
Please provide any additional information below.
If you want to test with the service provider, please approach developers
at twelvesprints dot com.
Original issue reported on code.google.com by [email protected]
on 17 Feb 2010 at 6:09
What is the expected output? What do you see instead?
What version of the product are you using? On what operating system?
Latest version of oauth-signpost
Please provide any additional information below.
I am trying to authenticate against a web service using Oauth and all works
well until I request and access token. I get a 401 not authorized when I
try getting an access_token. I am guessing its because the site expects
www-authenicate realm attribute. Is there any way in which I can append it
to the request before its sent.
Original issue reported on code.google.com by itsmeritesh
on 14 Oct 2009 at 10:02
What steps will reproduce the problem?
1. If you use the FireEagle example, but instead of not having a callback,
you do have a callback in the line authUrl = provider.retrieveRequestToken
(Callback);
What is the expected output? What do you see instead?
Signpost throws an error when trying to do this:
10-20 09:53:11.736: WARN/System.err(809): Caused by: java.io.IOException:
Received authentication challenge is null
This is the same as issue 20.
What version of the product are you using? On what operating system?
I am using the source files for the August 2009 release. I am using it on
Android 1.6.
Please provide any additional information below.
The call appears to work properly when there is no callback. Ignoring the
exception results in nulls for everything coming back.
Original issue reported on code.google.com by [email protected]
on 20 Oct 2009 at 1:56
When signing a POST request for e.g.
"http://api.soundcloud.com/tracks/3130960/comments?
comment%5Bbody%5D=This+is+a+test+comment", signpost doesn't seem to correctly
construct
the signature base string. This is the debug output:
[SIGNPOST] SBS:
POST&http%3A%2F%2Fapi.soundcloud.com%2Ftracks%2F3130960%2Fcomments&comment%25255
Bbody%25255D%3D%26oauth_consumer_key%3DHXPgy7JJG5DLCMkyqBvksA%26oauth_nonce%3D
5646301471762814286%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1274917474%26oauth_token%3DZB4G8jA8Tsol2j7ge2yjIA%26oau
t
h_version%3D1.0
[SIGNPOST] signature: z82Wn/C7amPx8zC9jLgbyamyj7g=
[SIGNPOST] Auth header: OAuth oauth_token="ZB4G8jA8Tsol2j7ge2yjIA",
oauth_consumer_key="HXPgy7JJG5DLCMkyqBvksA", oauth_version="1.0",
oauth_signature_method="HMAC-SHA1", oauth_timestamp="1274917474",
oauth_nonce="5646301471762814286",
oauth_signature="z82Wn%2FC7amPx8zC9jLgbyamyj7g%3D"
[SIGNPOST] Request URL: http://api.soundcloud.com/tracks/3130960/comments?
comment%5Bbody%5D=This+is+a+test+comment
I'm not sure what the SBS should be, although according to
http://googlecodesamples.com/oauth_playground/, the SBS should begin with:
POST&http%3A%2F%2Fapi.soundcloud.com%2Ftracks%2F3130960%2Fcomments&comment%25255
Bbody%25255D%3DThis%252Bis%252Ba%252Btest%252Bcomment%26oauth_consumer_key...
It's possible that this bug affects other (non-GET?) request types.
Original issue reported on code.google.com by [email protected]
on 27 May 2010 at 12:27
What steps will reproduce the problem?
OAuthProvider twitterProvider = new
DefaultOAuthProvider("http://twitter.com/oauth/request_token",
"http://twitter.com/oauth/access_token",
"http://twitter.com/oauth/authorize");
OAuthConsumer twitterConsumer = new
DefaultOAuthConsumer("VFqtJrYSGatXtpACsHkcw","3RbwpCa2wkcvFj0J4xk0RXyDZSlSJGzdfI
g66ZLHmt8");
OAuthConsumer consumer = twitterConsumer;
OAuthProvider provider = twitterProvider;
String authUrl = provider.retrieveRequestToken(consumer,
"http://www.stefankendall.com:8080/test.jsp");
What is the expected output? What do you see instead?
The URL provided should properly encode the callback URL so that twitter
can redirect to the appropriate callback site. With 1.2.1-SNAPSHOT, the URL
appears to get encoded, and Twitter does not redirect, rather stating that
the given URL destination does not exist.
What version of the product are you using? On what operating system?
1.2.1-SNAPSHOT. This works on 1.2, but fails on 1.2.1-SNAPSHOT.
Original issue reported on code.google.com by [email protected]
on 15 Mar 2010 at 6:59
What steps will reproduce the problem?
Googel OAuth
1. getRequestToken
2. Authorize
3. User selects Deny (cancel)
4. Callback is called (requestToken seems to be authorized)
5. getAccessToken generates OAuthExpectationFailedException
What is the expected output? What do you see instead?
If user selects "deny" during authorization, Google seems to consider the
requestToken to be authorized with no indication of user "denied". When
trying the exchange the requestToken to accessToken Google responds with
400 Bad Request (The request token is invalid).
I think 400 should be represented as a specific exception e.g
OAuthInvalidRequestTokenException or if this is common practice between
all/most providers OAuthAuthorizationDeniedException
What version of the product are you using? On what operating system?
signpost-core-1.2
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 8 Feb 2010 at 8:12
Signpost should be decoupled from concrete HTTP implementations so that it
becomes useful for environments that do not use the Apache HttpComponents.
Tasks:
1) Introduce interface abstractions for message signing (i.e. HttpRequest)
2) Provide implementations via adapter classes (e.g. for Apache, Jetty, etc.)
3) Distribute library in implementation specific JARs (e.g. signpost-jetty.jar)
Please discuss.
Original issue reported on code.google.com by [email protected]
on 25 May 2009 at 7:59
What steps will reproduce the problem?
1. Attached is the twitter example showing the problem
I am not sure if this is a Jaiku issue or signpost but I get the following
exception:
Exception in thread "main"
oauth.signpost.exception.OAuthCommunicationException: Communication with
the service provider failed: URLDecoder: Illegal hex characters in escape
(%) pattern - For input string: " a"
I will continue to investigate and update accordingly.
Original issue reported on code.google.com by charroch
on 11 Jul 2009 at 7:52
Attachments:
When creating a request token, the oauth_callback param is a query
parameter, whereas all other oauth_* parameters are inside the
Authorization header.
Original issue reported on code.google.com by [email protected]
on 4 Nov 2009 at 6:45
Service Provider, the timestamp is expressed in the number of seconds since
January 1, 1970
00:00:00 GMT
The current implementation uses milliseconds:
DefaultOAuthConsumer.java:97
map.put(OAuth.OAUTH_TIMESTAMP, Long.toString(System.currentTimeMillis()));
Google's OAuth implementation checks the timestamp and issues a "timestamp is
too far from
current time" error if milliseconds are used.
Dividing by 1000 fixes the problem (and lets me access the Google Portable
Contacts API using
OAuth)
Original issue reported on code.google.com by [email protected]
on 7 May 2009 at 10:33
What steps will reproduce the problem?
Not sure, really... I followed the tutorial on signing in to Google, and
got this stacktrace.
What is the expected output? What do you see instead?
I'm getting an Unexpected response, I can see that from the stacktrace, but
the error I end up with on the lowest level is a FileNotFoundException. I'm
not really sure what I should do with that:
E/Floating Image(22174): Picasa: Error signing in!
E/Floating Image(22174):
oauth.signpost.exception.OAuthCommunicationException: Communication with
the service provider failed:
https://www.google.com/accounts/OAuthGetRequestToken?scope=http%3A%2F%2Fpicasawe
b.google.com%2Fdata
E/Floating Image(22174): at
oauth.signpost.AbstractOAuthProvider.retrieveToken(AbstractOAuthProvider.java:21
4)
E/Floating Image(22174): at
oauth.signpost.AbstractOAuthProvider.retrieveRequestToken(AbstractOAuthProvider.
java:69)
E/Floating Image(22174): at
dk.nindroid.rss.parser.picasa.PicasaFeeder.signIn(PicasaFeeder.java:46)
E/Floating Image(22174): at
dk.nindroid.rss.settings.PicasaBrowser.onListItemClick(PicasaBrowser.java:95)
E/Floating Image(22174): at
android.app.ListActivity$2.onItemClick(ListActivity.java:312)
E/Floating Image(22174): at
android.widget.AdapterView.performItemClick(AdapterView.java:284)
E/Floating Image(22174): at
android.widget.ListView.performItemClick(ListView.java:3287)
E/Floating Image(22174): at
android.widget.AbsListView$PerformClick.run(AbsListView.java:1645)
E/Floating Image(22174): at
android.os.Handler.handleCallback(Handler.java:587)
E/Floating Image(22174): at
android.os.Handler.dispatchMessage(Handler.java:92)
E/Floating Image(22174): at android.os.Looper.loop(Looper.java:123)
E/Floating Image(22174): at
android.app.ActivityThread.main(ActivityThread.java:4320)
E/Floating Image(22174): at java.lang.reflect.Method.invokeNative(Native
Method)
E/Floating Image(22174): at java.lang.reflect.Method.invoke(Method.java:521)
E/Floating Image(22174): at
com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:791)
E/Floating Image(22174): at
com.android.internal.os.ZygoteInit.main(ZygoteInit.java:549)
E/Floating Image(22174): at dalvik.system.NativeStart.main(Native Method)
E/Floating Image(22174): Caused by: java.io.FileNotFoundException:
https://www.google.com/accounts/OAuthGetRequestToken?scope=http%3A%2F%2Fpicasawe
b.google.com%2Fdata
E/Floating Image(22174): at
org.apache.harmony.luni.internal.net.www.protocol.http.HttpURLConnection.getInpu
tStream(HttpURLConnection.java:1061)
E/Floating Image(22174): at
org.apache.harmony.luni.internal.net.www.protocol.https.HttpsURLConnection.getIn
putStream(HttpsURLConnection.java:252)
E/Floating Image(22174): at
oauth.signpost.basic.HttpURLConnectionResponseAdapter.getContent(HttpURLConnecti
onResponseAdapter.java:18)
E/Floating Image(22174): at
oauth.signpost.AbstractOAuthProvider.handleUnexpectedResponse(AbstractOAuthProvi
der.java:228)
E/Floating Image(22174): at
oauth.signpost.AbstractOAuthProvider.retrieveToken(AbstractOAuthProvider.java:18
9)
E/Floating Image(22174): ... 16 more
What version of the product are you using? On what operating system?
Using signpost-core-1.2.1.1. Also added the commons-codec-1.3 for good
measure, but that didn't do much (not sure what it's for, really).
Please provide any additional information below.
This is the code I run:
OAuthConsumer consumer = new DefaultOAuthConsumer(KEY, SECRET);
OAuthProvider provider = new DefaultOAuthProvider(
"https://www.google.com/accounts/OAuthGetRequestToken?scope=" +
URLEncoder.encode("http://picasaweb.google.com/data", "utf-8"),
"https://www.google.com/accounts/OAuthGetAccessToken",
"https://www.google.com/accounts/OAuthAuthorizeToken?hd=default");
String authURL = provider.retrieveRequestToken(consumer, OAuth.OUT_OF_BAND);
Original issue reported on code.google.com by [email protected]
on 2 May 2010 at 8:56
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.