anish-adm / oauth-signpost Goto Github PK

What steps will reproduce the problem?
1. Create a netflix provider and consumer.
2. Call provider.retrieveRequestToken( consumer, {OAuth.OUT_OF_BAND|
callbackurl} );


What is the expected output? What do you see instead?
I would expect to get back a proper authorization URL to present the user 
to use in a web browser. Instead, I receive:

<status>
  <status_code>
    400
  </status_code>
  <message>
    oauth_consumer_key is missing
  </message>
</status>

What version of the product are you using? On what operating system?
1.2, Windows 7. JDK 1.6.0_18.

Please provide any additional information below.
This is either an issue with Netflix's OAuth implementation or an issue 
with SignPost. I haven't read the OAuth spec, so I'm unsure which is 
incorrect. Regardless, if other services don't break if the consumer key 
is explicitly passed as a parameter, that should probably be default 
behavior.

What steps will reproduce the problem?
1. Add signpost-core-1.2.1.1 and signpost-commonshttp4-1.2.1.1 to build 
path
2. Set consumer tokenkey and secret
3. Attemp to get OauthUrl to allow protected access

What is the expected output? What do you see instead?

W/System.err(32162): Caused by: 
oauth.signpost.exception.OAuthCommunicationException: Communication with 
the service provider failed: 
https://www.google.com/accounts/OAuthGetRequestToken?
scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fbuzz
W/System.err(32162):    at 
oauth.signpost.AbstractOAuthProvider.retrieveToken(AbstractOAuthProvider.ja
va:214)
W/System.err(32162):    at 
oauth.signpost.AbstractOAuthProvider.retrieveRequestToken(AbstractOAuthProv
ider.java:69)
W/System.err(32162):    at 
org.lxtnow.testOauth.testoauth.onCreate(testoauth.java:62)
W/System.err(32162):    ... 13 more
W/System.err(32162): Caused by: java.io.FileNotFoundException: 
https://www.google.com/accounts/OAuthGetRequestToken?
scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fbuzz
W/System.err(32162):    at 
org.apache.harmony.luni.internal.net.www.protocol.http.HttpURLConnection.ge
tInputStream(HttpURLConnection.java:1061)
W/System.err(32162):    at 
org.apache.harmony.luni.internal.net.www.protocol.https.HttpsURLConnection.
getInputStream(HttpsURLConnection.java:252)
W/System.err(32162):    at 
oauth.signpost.basic.HttpURLConnectionResponseAdapter.getContent(HttpURLCon
nectionResponseAdapter.java:18)
W/System.err(32162):    at 
oauth.signpost.AbstractOAuthProvider.handleUnexpectedResponse(AbstractOAuth
Provider.java:228)
W/System.err(32162):    at 
oauth.signpost.AbstractOAuthProvider.retrieveToken(AbstractOAuthProvider.ja
va:189)
W/System.err(32162):    ... 15 more
D/AndroidRuntime(32162): Shutting down VM
W/dalvikvm(32162): threadid=3: thread exiting with uncaught exception 
(group=0x4001e170)
E/AndroidRuntime(32162): Uncaught handler: thread main exiting due to 
uncaught exception


What version of the product are you using? On what operating system?

version 1.2.1.1 for both core and commonshttp4
Also tried bundled version from OAuthGoogleExample from Git repository

Please provide any additional information below.

I'd like to be able to use Signpost to authenticate against Facebook new Graph 
API, which uses 
OAuth 2.0.  I'm guessing that there isn't support in Signpost for OAuth 2.0.  I 
also understand that 
the standard is evolving.  That said, I'm willing to take a first-stab at 
providing OAuth 2.0 support in 
signpost, with the understanding that support may need to evolve with the 
standard.

I opened this bug primarily to get your thoughts on OAuth 2.0 and Signpost.

When posting to twitter using code similar to the following:

----------------------------
final URL url = new URL("http://twitter.com/statuses/update.xml");
final HttpURLConnection request = url.openConnection();

request.setRequestMethod("POST");
request.setRequestProperty("Content-Type",
"application/x-www-form-urlencoded");
request.setRequestProperty("Content-Length", "" +
Integer.toString(params.getBytes().length));
request.setRequestProperty("Content-Language", "en-US");
request.setUseCaches(false);
request.setDoInput(true);
request.setDoOutput(true);
consumer.sign(request);
try {
   final DataOutputStream out = new
DataOutputStream(request.getOutputStream());
   out.writeBytes("status=test");
   out.flush();
   out.close();
} catch (IOException ex) { ex.printStackTrace(); }
----------------------------
(The actual code can be found here:
http://git.dmdirc.com/cgit.cgi/client-shane/tree/src/com/dmdirc/addons/parser_tw
itter/api/TwitterAPI.java?h=twitter
- setStatus(), postXML(), getXML() and signURL())

This gives the output:
----------------------------
<?xml version="1.0" encoding="UTF-8"?>
<hash>
 <request>/statuses/update.xml</request>
 <error>Incorrect signature</error>
</hash>
----------------------------

Everything works fine when using GET.

What steps will reproduce the problem?
1. use 1.2.1.1 of oauth and do some setup using the api.login.yahoo.com 
oauth server
create consumer and provider
2. Get the request auth url
provider.retrieveRequestToken(...)
3. Run code on an android phone

What is the expected output? What do you see instead?
I was expecting the auth url (the code works on my laptop), but I get this 
error

E/VerificationActivity( 1357): 
oauth.signpost.exception.OAuthCommunicationException: Communication with 
the service provider failed: null
...
E/VerificationActivity( 1357): Caused by: java.lang.NullPointerException
E/VerificationActivity( 1357):  at 
org.apache.harmony.luni.internal.net.www.protocol.http.HttpURLConnection.re
adln(HttpURLConnection.java:1178)...

What version of the product are you using? On what operating system?
1.2.1.1  The code works on Redhat, windows, and Ubuntu, but failed me when 
I ran on ether an android emulator or an android phone

Please provide any additional information below.

The problem seems to be an issue with what yahoo returns though i dont know 
whats happening.  other sites work alright.

Thanks for taking the time to look at this issue.

In order to do get request token and get access token in different threads,
it is necessary to save the provider object. Having a serializable instance
simplifies storing and re-creation. 

The front page mentions that:

"[OAuthConsumer and OAuthProvider] are also serializable, so you can 
persist and restore them later."

I found that to not be the case. When I restore an OAuthConsumer to sign a 
request, it will fail with this traceback:

java.lang.NullPointerException
        at oauth.signpost.signature.OAuthMessageSigner.base64Encode
(OAuthMessageSigner.java:66)
        at oauth.signpost.signature.HmacSha1MessageSigner.sign
(HmacSha1MessageSigner.java:55)
        at oauth.signpost.AbstractOAuthConsumer.sign
(AbstractOAuthConsumer.java:97)
        at oauth.signpost.AbstractOAuthConsumer.sign
(AbstractOAuthConsumer.java:107)

This is because OAuthMessageSigner.base64 is transient and thus wasn't 
serialized.

When obtaining an Unauthorized Request Token, the request must be signed 
http://oauth.net/core/#auth_step1) However, at that point a Token Secret is not 
available. The 
specification allows for this in section 9.2. HMAC-SHA1 
(http://oauth.net/core/#anchor16) by 
not requiring a Token Secret (the implication is that it's the url-encoded 
consumer secret 
followed by an "&" and nothing else)

HmacSha1MessageSigner.java:25
 String keyString = OAuth.percentEncode(getConsumerSecret()) + '&' + 
OAuth.percentEncode(getTokenSecret());

Which depends on oauth.signpost.OAuth.percentEncode, which depends on 
com.google.gdata.util.common.base.PercentEscaper, which fails with an NPE if 
the Token Secret 
is null.

A quick fix is to add a test in oauth.signpost.OAuth.percentEncode and just 
return an empty 
string in the parameter is null.

With that fix, I could access Twitter using OAuth.

What steps will reproduce the problem?
1. Create a httpurlconnection for posting to a url endpoint
2. the getMessagePayload() method on httprequestadaptor will return null
3. SignatureBaseString.java will be used when signing the request. the
following lines of code are executed:

        if (contentType != null && contentType.equals(OAuth.FORM_ENCODED)) {
            InputStream payload = request.getMessagePayload();
            parameters.addAll(OAuth.decodeForm(payload));
        }

payload will be null as described in #2, and will throw a null error when
OAuth.decodeForm(payload) is called. 


What is the expected output? What do you see instead?
A null pointer will not be thrown


What version of the product are you using? On what operating system?
1.1

Please provide any additional information below.
More code available upon request.

Example below of signing post request httpurlconnection

            HttpURLConnection request = (HttpURLConnection)
url.openConnection();     

            request.setRequestMethod("POST");
            request.setAllowUserInteraction(false); // you may not ask the user
            request.setDoInput(true);
            request.setDoOutput(true);
            request.setUseCaches(false);
            // the Content-type should be default, but we set it anyway
            request.setRequestProperty("Content-Type",
"application/x-www-form-urlencoded");
            // the content-length should not be necessary, but we're cautious
            request.setRequestProperty( "Content-length",
Integer.toString(queryParams.length()));

            consumer.sign(request);

            //get the output stream to POST our form data
            OutputStreamWriter wr = new
OutputStreamWriter(request.getOutputStream());
            wr.write(queryParams);
            wr.flush();
            wr.close();

What steps will reproduce the problem?
1. Go through an entire request/access token against a python-oauth server.
2. Use the access token to try to access something.
3. The python-oauth library (the reference implementation for OAuth) barfs
because the signature is "IYALjIZeGwFri8xtv4uIaDBO3Ow%3D%0D%0A" which
decodes to 'IYALjIZeGwFri8xtv4uIaDBO3Ow=\r\n'.

What is the expected output? What do you see instead?

'IYALjIZeGwFri8xtv4uIaDBO3Ow='

What version of the product are you using? On what operating system?

Latest from svn.

Please provide any additional information below.

Change line 49 to be:

            return base64Encode(mac.doFinal(text)).trim();

And it all works.

What steps will reproduce the problem?

Current signing options:
1A. consumer.sign(HttpRequest request) -> HTTPRequest
1B. consumer.sign(Object request) -> HTTPRequest
1C. consumer.sign(String url) -> String (Url+query params)

What is the expected output? What do you see instead?
1D. consumer.sign(String url) -> Map<String,String>

Having a new sign method returning a map with all oauth params would enable 
simple usage/integration with xoauth SASL or other non HTTP transport 
calls. 

What steps will reproduce the problem?
1. use the java code example for fireeagle
2. try to update user-position

What is the expected output? What do you see instead?
Error: 400 bad request

What version of the product are you using? On what operating system?
I use android 1.5

First off, I'd like to say thank you to Mattias for a truly useful contribution 
to the java community.  I've used signpost 
(mostly 1.1) against three APIs (tripit, opentable, and now digg), and while 
it's often required some heavy modification 
and experimentation, I've generally been successful.  

But that being said, then along came Digg.  I spent two days trying to get 
signpost 1.2 working with the Digg API, and 
was about to throw in the towel before I finally found this thread from last 
month:

http://groups.google.com/group/diggapi/browse_thread/thread/51472d4c8ede6c8b/832
b74a731245824

If you follow the recommendations in all three pastie.org posts, then make a 
few tweaks to fix obvious errors, then set 
the Content-Type to OAuth.FORM_ENCODED, the proposed solution will work.

But it requires overloading FIVE signpost classes, and copying and pasting a 
majority of code from each one.

Surely there must be a way to access the Digg API from signpost that doesn't 
require overloading so many classes, let 
alone copying and pasting so much code.

As far as I can tell, Digg doesn't seem to be violating the oauth 1.0a 
specification, so it would be nice if signpost could 
handle this api gracefully.

Thanks again for the great work!

What steps will reproduce the problem?
1. When exchanging a request token for an access token Signpost generates
an URL like this

http://localhost:8080/userservices/oauth/access_token?oauth_token=a4d14ddb-3eaf-
4706-8693-eaabc2e21c84&oauth_token_secret=lHX2uM6CM77eqPTzMniigIoRWCpSkAYwwXBq/7
FOyCQEcu2jKQVs4Rp9k7ADQEG24MLByTnOKMXNZOQXiWZH9YKvPuJCEw4OH/ik3kN4wy0=

that is, outh_token_secret is sent to OAuthProvider - this is not needed
and it is a security risk.

Further, having aouth_token encoded as part of the Http GET URL is in
contradiction with what is stated in the Signpost documentation that says
that OAuth parameters are sent as part of the Http Authorize header.

And yes, oauth_token is also sent as part of the Authorize header! This
means that the signature base to used to produces the signature looks like
this:

GET&
http%3A%2F%2Flocalhost%3A8080%2Fuserservices%2Foauth%2Faccess_token&
oauth_consumer_key%3Dmyphone%26
oauth_nonce%3D1242810500517710000%26
oauth_signature_method%3DHMAC-SHA1%26
oauth_timestamp%3D1242810500%26
oauth_token%3D82afaed0-42ea-4129-a914-2f53d42e7346%26
oauth_token%3D82afaed0-42ea-4129-a914-2f53d42e7346%26
oauth_token_secret%3DjOvfP3mjn7z%252FDJXVaaMuLwoLRR2EVxfFnFEbbLBlhbZMBBweD2hSREt
UghfL1LFVl7QbpNvKpb%2520926oeJR3ZlzdtGuaAT8YCvSrQ7IVXlxM%253D%26
oauth_version%3D1.0   

Note that oauth_token occurrs twice.

What is the expected output? What do you see instead?

I would propose to 
A) remove the oauth_token_secret from URL
B) remove the oauth_token from URL
It is enough to generate an URL like this:
http://localhost:8080/userservices/oauth/access_token

What version of the product are you using? On what operating system?
1.0-SNAPSHOT on Mac OSX

Please provide any additional information below.
I encountered this problem when I got 401 for this request, my Provider
being developed with Spring Oauth/Security. Spring drops the double
oauth_token and uses this signature base string

GET&
http%3A%2F%2Flocalhost%3A8080%2Fuserservices%2Foauth%2Faccess_token&
oauth_consumer_key%3Dmyphone%26
oauth_nonce%3D1242810500517710000%26
oauth_signature_method%3DHMAC-SHA1%26
oauth_timestamp%3D1242810500%26
oauth_token%3D82afaed0-42ea-4129-a914-2f53d42e7346%26
oauth_token_secret%3DjOvfP3mjn7z%252FDJXVaaMuLwoLRR2EVxfFnFEbbLBlhbZMBBweD2hSREt
UghfL1LFVl7QbpNvKpb%2520926oeJR3ZlzdtGuaAT8YCvSrQ7IVXlxM%253D%26
oauth_version%3D1.0 

What steps will reproduce the problem?
When you try to sign a MultipartEntity with the sign() method, it throws an
exception because MultipartEntity doesn't support getOutputStream().

What is the expected output? What do you see instead?
Not to throw the exception if you are trying to sign MultipartEntity requests.

What version of the product are you using? On what operating system?
signpost-core-1.1-SNAPSHOT.jar, signpost-commonshttp4-1.1-SNAPSHOT.jar  on
Windows XP.

Please provide any additional information below.
Not applicable.

It looks like the callback parameter given to retrieveRequestToken in the
DefaultOAuthProvider is hex encoded twice, resulting in an incorrect signature.

A first time at the line 70 of the class:

retrieveToken(OAuth.addQueryParameters(requestTokenEndpointUrl,
                OAuth.OAUTH_CALLBACK, OAuth.percentEncode(callbackUrl)));

And the second time a few steps later in the addQueryParameters method.

What version of the product are you using? On what operating system?

SVN version on android.

What steps will reproduce the problem?
1. Update TwitterAndSignpost sample application to work with signpost  1.2.1.1
2. Modify sample application to perform signing and executing HTTP requests
in loop (e.g. 20 times)
3. Incidentally (2-3 requests on 20) application receives from Twitter
HTTP/1.1 401 Unauthorized,
{"request":"/1/account/verify_credentials.json","error":"Invalid / used nonce"}
4. I attached my sample application used in tests.

What is the expected output? What do you see instead?
This error should never appear.

What version of the product are you using? On what operating system?
Signpost 1.2.1.1, Android 1.5

Please provide any additional information below.
This problem doesn't appear in version 1.1. I compared oauth_nonce value
send by both versions and they are shorter in previous version.

I fixed that problem by changing nonce generator to use Integer instead of
Long (generate shorter oauth_nonce). It helps with Twitter.

Original nonce generator (function from
/signpost-core/src/main/java/oauth/signpost/AbstractOAuthConsumer.java):
    protected String generateNonce() {
        return Long.toString(new Random().nextLong());
    }

Generator with fix:
    protected String generateNonce() {
        return Integer.toString(new Random().nextInt());
    }

What steps will reproduce the problem?
1. Using the Netflix example at http://github.com/kaeppler/signpost-
examples/tree/master/OAuthNetflixExample/src
2. Specifically, the call to  provider.retrieveRequestToken(consumer, 
callBackUrl);

What is the expected output? What do you see instead?
I expect to get a link to redirect the user to, I do not get anything and 
recieve an OAuthCommunicationException. A stacktrace says that this is due 
to:
java.io.FileNotFoundException: http://api.netflix.com/oauth/request_token
By ARP-poisoning my phone and using Wireshark I can see that this is 
because retrieveRequestToken uses POST when according to the Netflix API I 
should be using GET.

What version of the product are you using? On what operating system?
Android 1.6

Please provide any additional information below.
Does the Netflix example code work? Should I just create my own helper 
method to make the call through GET and rely for everything else on oauth-
signpost?

When I sign HttpUrlConnection witch has request method set to 'PUT', I get 
'401 Authorization Required' response from server. This happens with 
signpost-core-1.2, signpost-core-1.2.1, signpost-core-1.2.1.1
With signpost-core-1.1 it works correctly.

Other request methods works ok with all versions of library.

I'm using this library to communicate with http://blip.pl (but it's in Polish 
so I think that doesn't help)

What steps will reproduce the problem?
1. Add Aug 31 snapshot to build path (java)
2. Clear any existing user data / tokens
3. Attempt to get login url and request token
Kaboom!
4. Switch build path to use Julyu snapshot
5. attempt to get login url and r. token
Success!

What is the expected output? What do you see instead?

Expected: the Login Url with parameters, and request token set.
Instead: I get an exception
oauth.signpost.exception.OAuthCommunicationException: Communication
with the service provider failed: Received authentication challenge is
null
   at oauth.signpost.basic.DefaultOAuthProvider.retrieveToken
(DefaultOAuthProvider.java:152)
   at oauth.signpost.basic.DefaultOAuthProvider.retrieveRequestToken
(DefaultOAuthProvider.java:69) 

What version of the product are you using? On what operating system?

Aug 31 Snapshot (kaboom) vs July Snapshot(works fine) - Android

Please provide any additional information below.

This can be consistently resolved / repeated by switching my build path
info to use the different snapshots. Another user has reported a similar
error on the groups.

Once I have the access token stored locally, either jar works just fine.
The issue is limited to the getToken method of the provider.

Java 1.6 class files were reported to cause problems with Android.

Would be nice to add this static method to OAuthConsumer or some other 
class, it's a quick hack to allow POST url-encoded while using java.net
( it can also be used in user code )

    public static void signAndSend(OAuthConsumer consumer,       
            HttpURLConnection req, final byte[] payload) 
        throws ... 
    {
        HttpRequest spReq = new HttpURLConnectionRequestAdapter(req) {
            public InputStream getMessagePayload() {
                return new ByteArrayInputStream(payload);
            }
        };

        consumer.sign(spReq);

        OutputStream os = req.getOutputStream();
        os.write(payload);
        os.close();
    }

A better option would be to refactor the interfaces so signAndSend() with 
payload is common to all http client wrappers. 

If I don't care about specific error conditions, I'd like to write a simplified 
`catch` (for a single type of OAuth exception).

Thoughts?

What steps will reproduce the problem?
1. Run the attached file after substituting your API consumer key and
secret for LinkedIn.
2. The example is taken from the linked in forums and the majority of
LinkedIn API work with signpost-core-1.2 except for the one mentioned in
the example.
3. As far as I can guess, when you supply two parameters with the same name
(type parameter in this example), the signpost library throws 401
unauthorized error.

What is the expected output? What do you see instead?
I should get 200 response with a list of all the network updates. Instead I
get a 401 response with the error message. I have also tried
consumer.setCompatibilityModeForEmptyTokens(true); to no avail.


What version of the product are you using? On what operating system?
I am using signpost-core-1.2.jar. It was working correctly on a snapshot
version signpost-core-1.1-SNAPSHOT.jar.


Please provide any additional information below.
You can get the API key from linked in from the url:
https://www.linkedin.com/secure/developer

Also see http://developer.linkedin.com/index.jspa for details about
LinkedIn OAuth.

What steps will reproduce the problem?
1. Run the command 
            svn checkout http://oauth-signpost.googlecode.com/svn/trunk/
oauth-signpost-read-only
2.
3.

What is the expected output? What do you see instead?
Expected output
      Source code 
Actual output 
      svn: Server sent unexpected return value (400 Bad Request) in
response to REPORT request for '/svn/!svn/vcc/default'

What version of the product are you using? On what operating system?
I am not yet using the product. I am trying to download the source so that
i can use

Please provide any additional information below.
I am using SVN on ubuntu
Connected to internet through proxy
I have attached the enthreal log of bad request for your reference

What steps will reproduce the problem?

I am creating the request tokens out-of-band.  The DefaultOAuthProvider
will set isOAuth10a to true in retrieveRequestToken() and I get the
consumer token and token secret, which I store for later use.

I need to reconstitute the OAuthProvider at a later time to invoke
retrieveAccessToken() with the PIN that the user enters.  I can create the
DefaultOAuthConsumer and initialize the token and token secret.  The
OAuthProvider, though, has isOAuth10a set to false by default and there is
no way to set it to true (no setter method and it is a private property).

As such, I always get an HTTP 401 error.

In Eclipse, I can set a breakpoint before the call to retrieveAccessToken()
and reach behind the scenes and set isOAuth10a to true before the call is
made and I get a successful HTTP 200 return.

What is the expected output? What do you see instead?

I would expect there to be some way to programatically initialize
isOAuth10a to true.

I could create my own implementation that is essentially a copy of
DefaultOAuthProvider, but with a setter for isOAuth10a; however, I'd rather
not replicate code and have to keep them in sync.

What version of the product are you using? On what operating system?

snapshot-core-1.1-SNAPSHOT downloaded 2009.06.24

Please provide any additional information below.  Here is the example
Twitter code modified to emulate complete reconstitution of the consumer
and provider.

public static void main(String[] args) throws Exception {

        OAuthConsumer consumer = new DefaultOAuthConsumer(
                CONSUMER_KEY,
                CONSUMER_SECRET,
                SignatureMethod.HMAC_SHA1);

        OAuthProvider provider = new DefaultOAuthProvider(consumer,
                "http://twitter.com/oauth/request_token",
                "http://twitter.com/oauth/access_token",
                "http://twitter.com/oauth/authorize");

        System.out.println("Fetching request token from Twitter...");

        // we do not support callbacks, thus pass OOB
        String authUrl = provider.retrieveRequestToken(OAuth.OUT_OF_BAND);

        System.out.println("Request token: " + consumer.getToken());
        System.out.println("Token secret: " + consumer.getTokenSecret());

        System.out.println("Now visit:\n" + authUrl
                + "\n... and grant this app authorization");
        System.out.println("Enter the PIN code and hit ENTER when you're
done:");

        BufferedReader br = new BufferedReader(new
InputStreamReader(System.in));
        String pin = br.readLine();

        String requestToken = consumer.getToken();
        String requestTokenSecret = consumer.getTokenSecret();

        // Save the requestToken and requestTokenSecret away.  Pretend the rest
        // of this is a whole new thread with reconstituted consumer/provider.

        System.out.println("Fetching access token from Twitter...");

        OAuthConsumer consumer2 = new DefaultOAuthConsumer(
                CONSUMER_KEY,
                CONSUMER_SECRET,
                SignatureMethod.HMAC_SHA1);

        consumer2.setTokenWithSecret(requestToken, requestTokenSecret);

        OAuthProvider provider2 = new DefaultOAuthProvider(consumer2,
                "http://twitter.com/oauth/request_token",
                "http://twitter.com/oauth/access_token",
                "http://twitter.com/oauth/authorize");

        // Here I can set a breakpoint in Eclipse, reach behind the scenes
        // and set provider2's isOAuth10a to true and it will work
        provider2.retrieveAccessToken(pin);

        System.out.println("Access token: " + consumer.getToken());
        System.out.println("Token secret: " + consumer.getTokenSecret());

        URL url = new URL("http://twitter.com/statuses/mentions.xml");
        HttpURLConnection request = (HttpURLConnection) url.openConnection();

        consumer2.sign(request);

        System.out.println("Sending request to Twitter...");
        request.connect();

        System.out.println("Response: " + request.getResponseCode() + " "
                + request.getResponseMessage());
    }

Currently, AbstractOAuthProvider provides a retrieveRequestToken method 
which passes the endpointUrl to retrieveToken if the provider is using 
OAuth 1.0a. It seems that google requires a 'scope' parameter built into 
the endpoint url in the exact same manner as what would be crafted by the 
additionalParameters argument of

    protected void retrieveToken(OAuthConsumer consumer, String 
endpointUrl,
            String... additionalParameters)

I propose that retrieveRequestToken be modified to accept a varargs 
additionalParameters object to be passed to retrieveToken. This should be 
backward compatibile with current code while extending the functionality 
of the DefaultOAuthProvider implementation.

I can not make an argument AGAINST this functionality, as providers in the 
future may do other dorking with the endpointUrls like google does now, 
and this change would in no way break spec-correct oauth authorization.

If I have missed something here, please tell me. Currently, my solution is 
to subclass DefaultOAuthProvider, but I feel like this functionality 
should be default.

Thanks,
-Stefan

What steps will reproduce the problem?

1. Try signing an HttpUrlConnection object without setting token and token-
secret parameters (that would be the case for 2 legged scenario)
2. Check the signature base string
3. Check the generated OAuth signature

What is the expected output? What do you see instead?

Signature base string should include "auth_token=&" as per section 9.1.1. 
of the OAuth specs. However, the auth_token is completely ignored due to 
being empty (which will always be true for 2-legged scenario) and is 
missing from the signature base string. 
The oAuth signature generated as a result is wrong. As a verification, it 
doesn't match the signature generated by the reliable online resource - 
http://www.hueniverse.com/hueniverse/2008/10/beginners-gui-1.html

What version of the product are you using? On what operating system?
Latest as of yesterday (July 14, 2009)

Please provide any additional information below.

hello,

currently HttpURLConnectionRequestAdapter.setRequestUrl[1] did nothing, but 
how about throw a RuntimeException?


[1] http://github.com/kaeppler/signpost/blob/master/signpost-
core/src/main/java/oauth/signpost/basic/HttpURLConnectionRequestAdapter.java
#L29

What steps will reproduce the problem?
1.  Use signpost to integrate with Vimeo's API
2.  Attempt to retrieve the initial request token / auth URL

What is the expected output? What do you see instead?

 The error message from Vimeo says "401 Unauthorized - Invalid signature - The 
oauth_signature passed was not valid"

What version of the product are you using? On what operating system?

We're building signpost from the 1.2.SNAPSHOT branch on github 
(kaeppler-signpost-cfca5b4).
We're using signpost-core only, with the default provider and consumer.
We're building it with eclipse, and running it in Java 1.6, on Mac OS X

Please provide any additional information below.

Vimeo has pretty decent docs, although they seem somewhat oriented towards PHP 
users
  - http://vimeo.com/api/docs/advanced-api
  - http://vimeo.com/api/docs/authentication
  - http://vimeo.com/api/docs/oauth

We tried the new API for setSendEmptyTokens(boolean) with both true and false, 
both resulted 
in the same 401 error.

Also, just wanted to note that we've used identical code with signpost to 
successfully integrate 
with both Twitter and Google/YouTube  (Thanks very much for a great library!).  
So something 
different is going on with Vimeo....

What steps will reproduce the problem?
1.trying to authorize with yahoo apis it replies with the service provider 
failed: 
https://api.login.yahoo.com/oauth/v2/get_request_token&oauth_consumer_key=dj0
yJmk9Rmt6SWVnMlFzTTZuJmQ9WVdrOU4yVlhjbmxoTm5NbWNHbzlOalV6TnpRME5qSS0mcz1jb25z
dW1lcnNlY3JldCZ4PTEz&oauth_signature=883723e79b1dd7affe3ea0389c3a391634fab160
?oauth_callback=oob

When using signpost-1.1 with commons-codec-1.4.jar against a server that
requires OAuth 1.0a (linkedin), all requests (i.e. simply getting a request
token) fail with 401 authorization errors:

oauth_problem="signature_invalid"

It works absolutely fine with commons-codec-1.3.jar.  Something is wrong
only when using 1.4.

Signpost needs to be updated to reflect the changes imposed by OAuth Core
1.0a. The library must remain backwards compatible with 1.0 service providers.

Draft 3 of OAuth Core 1.0a spec:
http://oauth.googlecode.com/svn/spec/core/1.0a/drafts/3/

Seth Fitzsimmons was already so kind to contribute a patch which adds 1.0a
support:
http://github.com/mojodna/oauth-signpost/commit/0bc5a7bafc3c4829907d9c8033848bcc
e509a7af

What remains to do:

1) Patch trunk with Seth's changesets (or maybe open a branch for 1.0a?)
2) Write tests for 1.0a changes
3) Write tests that check whether Signpost works with both 1.0 and 1.0a
providers

What steps will reproduce the problem?
1. Run the attached file (this is a modified version of OAuthFireEagle
example but the urls modified to point to NetFlix which is a OAuth 1.0
compliant service provider). 
2. If you run the attached version using June version found in
OAuthFireEagle example
(http://oauth-signpost.googlecode.com/files/OAuthFireEagleExample.zip ),
there is no issue but if you use 1.2 version you will get a 401 error. 

I noticed this behavior in Android first where the result is pretty bad
(you get Received authentication challenge is null).

In the attached Java file, you have to replace consumer key and consumer
shared key with valid entries from NetFlix.


What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?


Please provide any additional information below.

Signpost should support gzip encoding by default (for more effective use of 
slow (cell) networks).

I Can't force url rewrite instead of HTTP Authorization.

According to the oAuth spec, anyone of the three methods for requesting
tokens can be followed.

Our servers support only URL Re-write but I can't seem to find a way of
enforcing this. 

I digged in the code in HTTPURLConnectionRequestAdapter.java

    public void setHeader(String name, String value) {
        connection.setRequestProperty(name, value);
    }

All this does is set the HTTP Authorization request property.

Is this a bug or the feature is not yet implemented?

What steps will reproduce the problem?
1.
I create a provider:
 OAuthProvider provider = new DefaultOAuthProvider(consumer,
                REQUEST_TOKEN_ENDPOINT_URL, ACCESS_TOKEN_ENDPOINT_URL,
                AUTHORIZE_WEBSITE_URL);
where AUTHORIZE_WEBSITE_URL is:
"http://myaccount-nightly.us2.global.ad/userservices-myaccount/myaccount/confirm
_access?us_oauth_method=onestep
that is, it contains an extra parameter

2.
I get a request token
String authorizeRequestTokenUrl = provider.retrieveRequestToken(CALLBACK_URL);

The returned URL is
http://myaccount-nightly.us2.global.ad/userservices-myaccount/myaccount/confirm_
access?us_oauth_method=onestep?oauth_token=51895058-4178-4a89-9ead-6cd969691e47&
oauth_callback=http%3A%2F%2Fmy.domain.com

and it is incorrect, it contains two '?' because
DefaultOAuthProvider.retrieveRequestToken does not check the existence of
'?' in the URL.
3.

What is the expected output? What do you see instead?
DefaultOAuthProvider.retrieveRequestToken should check the existence of
parameters in the URL and if there is one then it should append '&' instead
of '?' as a starter for oauth parameters. 

The OAuth spec 1.0, chapter 6.2.1 states that additional parameters are
accepted so Signpost should support those.


What version of the product are you using? On what operating system?
1.0-SNAPSHOT on Mac OSX


Please provide any additional information below.

Currently one must sign every request before sending.  With HttpClient,
there is built-in support for adding new auth methods that should work with
OAuth.  It shouldn't be difficult to create a wrapper for
CommonsHttpOAuthConsumer to implement org.apache.http.auth.AuthScheme.  

Looking at existing AuthScheme implementations should help:
http://hc.apache.org/httpcomponents-client/httpclient/xref/org/apache/http/impl/
auth/

You need to implement AuthSchemeFactory but it doesn't do much more than
create AuthScheme instances.  Then use a Credentials instance (you might
need to create your own subclass) to hold the consumer key/secret and Auth
Token/ secret token.  

The processChallenge method of AuthScheme is only used to extract the
'realm' of a WWW-Authenticate header I think.

Wasn't able to find Javadocs for the library. Am I missing it or its not
available? 

What steps will reproduce the problem?
Call retrieveAccessToken() on an OAuth provider, which expects POST.
(The one I'm testing with is not yet publicly available)

What is the expected output? What do you see instead?
Expected output is the access token, instead I receive an HTTP 405 (Method
Not Allowed)

What version of the product are you using? On what operating system?
1.2, both on Windows and in GAE

Please provide any additional information below.
If you want to test with the service provider, please approach developers
at twelvesprints dot com.

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?
Latest version of oauth-signpost

Please provide any additional information below.
I am trying to authenticate against a web service using Oauth and all works
well until I request and access token. I get a 401 not authorized when I
try getting an access_token. I am guessing its because the site expects
www-authenicate realm attribute. Is there any way in which I can append it
to the request before its sent. 

What steps will reproduce the problem?
1. If you use the FireEagle example, but instead of not having a callback, 
you do have a callback in the line authUrl = provider.retrieveRequestToken
(Callback);

What is the expected output? What do you see instead?
Signpost throws an error when trying to do this:
10-20 09:53:11.736: WARN/System.err(809): Caused by: java.io.IOException: 
Received authentication challenge is null

This is the same as issue 20.

What version of the product are you using? On what operating system?
I am using the source files for the August 2009 release. I am using it on 
Android 1.6.

Please provide any additional information below.
The call appears to work properly when there is no callback. Ignoring the 
exception results in nulls for everything coming back.

When signing a POST request for e.g. 
"http://api.soundcloud.com/tracks/3130960/comments?
comment%5Bbody%5D=This+is+a+test+comment", signpost doesn't seem to correctly 
construct 
the signature base string.  This is the debug output:

[SIGNPOST] SBS: 
POST&http%3A%2F%2Fapi.soundcloud.com%2Ftracks%2F3130960%2Fcomments&comment%25255
Bbody%25255D%3D%26oauth_consumer_key%3DHXPgy7JJG5DLCMkyqBvksA%26oauth_nonce%3D
5646301471762814286%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1274917474%26oauth_token%3DZB4G8jA8Tsol2j7ge2yjIA%26oau
t
h_version%3D1.0
[SIGNPOST] signature: z82Wn/C7amPx8zC9jLgbyamyj7g=
[SIGNPOST] Auth header: OAuth oauth_token="ZB4G8jA8Tsol2j7ge2yjIA", 
oauth_consumer_key="HXPgy7JJG5DLCMkyqBvksA", oauth_version="1.0", 
oauth_signature_method="HMAC-SHA1", oauth_timestamp="1274917474", 
oauth_nonce="5646301471762814286", 
oauth_signature="z82Wn%2FC7amPx8zC9jLgbyamyj7g%3D"
[SIGNPOST] Request URL: http://api.soundcloud.com/tracks/3130960/comments?
comment%5Bbody%5D=This+is+a+test+comment

I'm not sure what the SBS should be, although according to 
http://googlecodesamples.com/oauth_playground/, the SBS should begin with:

POST&http%3A%2F%2Fapi.soundcloud.com%2Ftracks%2F3130960%2Fcomments&comment%25255
Bbody%25255D%3DThis%252Bis%252Ba%252Btest%252Bcomment%26oauth_consumer_key...

It's possible that this bug affects other (non-GET?) request types.

What steps will reproduce the problem?

OAuthProvider twitterProvider = new
DefaultOAuthProvider("http://twitter.com/oauth/request_token",
                "http://twitter.com/oauth/access_token",
"http://twitter.com/oauth/authorize");

OAuthConsumer twitterConsumer = new
DefaultOAuthConsumer("VFqtJrYSGatXtpACsHkcw","3RbwpCa2wkcvFj0J4xk0RXyDZSlSJGzdfI
g66ZLHmt8");

OAuthConsumer consumer = twitterConsumer;
OAuthProvider provider = twitterProvider;

String authUrl = provider.retrieveRequestToken(consumer,
"http://www.stefankendall.com:8080/test.jsp");

What is the expected output? What do you see instead?
The URL provided should properly encode the callback URL so that twitter
can redirect to the appropriate callback site. With 1.2.1-SNAPSHOT, the URL
appears to get encoded, and Twitter does not redirect, rather stating that
the given URL destination does not exist. 

What version of the product are you using? On what operating system?
1.2.1-SNAPSHOT. This works on 1.2, but fails on 1.2.1-SNAPSHOT. 

What steps will reproduce the problem?
Googel OAuth
1. getRequestToken 
2. Authorize 
3. User selects Deny (cancel)
4. Callback is called (requestToken seems to be authorized)
5. getAccessToken generates OAuthExpectationFailedException 

What is the expected output? What do you see instead?

If user selects "deny" during authorization, Google seems to consider the 
requestToken to be authorized with no indication of user "denied". When 
trying the exchange the requestToken to accessToken Google responds with 
400 Bad Request (The request token is invalid). 

I think 400 should be represented as a specific exception e.g 
OAuthInvalidRequestTokenException or if this is common practice between 
all/most providers OAuthAuthorizationDeniedException

What version of the product are you using? On what operating system?
signpost-core-1.2

Please provide any additional information below.

Signpost should be decoupled from concrete HTTP implementations so that it
becomes useful for environments that do not use the Apache HttpComponents.

Tasks:
1) Introduce interface abstractions for message signing (i.e. HttpRequest)
2) Provide implementations via adapter classes (e.g. for Apache, Jetty, etc.)
3) Distribute library in implementation specific JARs (e.g. signpost-jetty.jar)

Please discuss.

What steps will reproduce the problem?
1. Attached is the twitter example showing the problem

I am not sure if this is a Jaiku issue or signpost but I get the following
exception:

Exception in thread "main"
oauth.signpost.exception.OAuthCommunicationException: Communication with
the service provider failed: URLDecoder: Illegal hex characters in escape
(%) pattern - For input string: " a"

I will continue to investigate and update accordingly.

When creating a request token, the oauth_callback param is a query
parameter, whereas all other oauth_* parameters are inside the
Authorization header.

Service Provider, the timestamp is expressed in the number of seconds since 
January 1, 1970 
00:00:00 GMT

The current implementation uses milliseconds:

DefaultOAuthConsumer.java:97
map.put(OAuth.OAUTH_TIMESTAMP, Long.toString(System.currentTimeMillis()));

Google's OAuth implementation checks the timestamp and issues a "timestamp is 
too far from 
current time" error if milliseconds are used.

Dividing by 1000 fixes the problem (and lets me access the Google Portable 
Contacts API using 
OAuth)

What steps will reproduce the problem?
Not sure, really... I followed the tutorial on signing in to Google, and
got this stacktrace.

What is the expected output? What do you see instead?
I'm getting an Unexpected response, I can see that from the stacktrace, but
the error I end up with on the lowest level is a FileNotFoundException. I'm
not really sure what I should do with that:

E/Floating Image(22174): Picasa: Error signing in!
E/Floating Image(22174):
oauth.signpost.exception.OAuthCommunicationException: Communication with
the service provider failed:
https://www.google.com/accounts/OAuthGetRequestToken?scope=http%3A%2F%2Fpicasawe
b.google.com%2Fdata
E/Floating Image(22174):    at
oauth.signpost.AbstractOAuthProvider.retrieveToken(AbstractOAuthProvider.java:21
4)
E/Floating Image(22174):    at
oauth.signpost.AbstractOAuthProvider.retrieveRequestToken(AbstractOAuthProvider.
java:69)
E/Floating Image(22174):    at
dk.nindroid.rss.parser.picasa.PicasaFeeder.signIn(PicasaFeeder.java:46)
E/Floating Image(22174):    at
dk.nindroid.rss.settings.PicasaBrowser.onListItemClick(PicasaBrowser.java:95)
E/Floating Image(22174):    at
android.app.ListActivity$2.onItemClick(ListActivity.java:312)
E/Floating Image(22174):    at
android.widget.AdapterView.performItemClick(AdapterView.java:284)
E/Floating Image(22174):    at
android.widget.ListView.performItemClick(ListView.java:3287)
E/Floating Image(22174):    at
android.widget.AbsListView$PerformClick.run(AbsListView.java:1645)
E/Floating Image(22174):    at
android.os.Handler.handleCallback(Handler.java:587)
E/Floating Image(22174):    at
android.os.Handler.dispatchMessage(Handler.java:92)
E/Floating Image(22174):    at android.os.Looper.loop(Looper.java:123)
E/Floating Image(22174):    at
android.app.ActivityThread.main(ActivityThread.java:4320)
E/Floating Image(22174):    at java.lang.reflect.Method.invokeNative(Native
Method)
E/Floating Image(22174):    at java.lang.reflect.Method.invoke(Method.java:521)
E/Floating Image(22174):    at
com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:791)
E/Floating Image(22174):    at
com.android.internal.os.ZygoteInit.main(ZygoteInit.java:549)
E/Floating Image(22174):    at dalvik.system.NativeStart.main(Native Method)
E/Floating Image(22174): Caused by: java.io.FileNotFoundException:
https://www.google.com/accounts/OAuthGetRequestToken?scope=http%3A%2F%2Fpicasawe
b.google.com%2Fdata
E/Floating Image(22174):    at
org.apache.harmony.luni.internal.net.www.protocol.http.HttpURLConnection.getInpu
tStream(HttpURLConnection.java:1061)
E/Floating Image(22174):    at
org.apache.harmony.luni.internal.net.www.protocol.https.HttpsURLConnection.getIn
putStream(HttpsURLConnection.java:252)
E/Floating Image(22174):    at
oauth.signpost.basic.HttpURLConnectionResponseAdapter.getContent(HttpURLConnecti
onResponseAdapter.java:18)
E/Floating Image(22174):    at
oauth.signpost.AbstractOAuthProvider.handleUnexpectedResponse(AbstractOAuthProvi
der.java:228)
E/Floating Image(22174):    at
oauth.signpost.AbstractOAuthProvider.retrieveToken(AbstractOAuthProvider.java:18
9)
E/Floating Image(22174):    ... 16 more


What version of the product are you using? On what operating system?
Using signpost-core-1.2.1.1. Also added the commons-codec-1.3 for good
measure, but that didn't do much (not sure what it's for, really).

Please provide any additional information below.
This is the code I run:
OAuthConsumer consumer = new DefaultOAuthConsumer(KEY, SECRET);
        OAuthProvider provider = new DefaultOAuthProvider(
"https://www.google.com/accounts/OAuthGetRequestToken?scope=" +
URLEncoder.encode("http://picasaweb.google.com/data", "utf-8"), 
                                                            "https://www.google.com/accounts/OAuthGetAccessToken", 

"https://www.google.com/accounts/OAuthAuthorizeToken?hd=default");

        String authURL = provider.retrieveRequestToken(consumer, OAuth.OUT_OF_BAND);