Vimeo - 401 Error (Bad Signature) on retrieveRequestToken (using 1.2.SNAPSHOT) about oauth-signpost HOT 9 CLOSED

Hi,

please post code I can use to reproduce this problem. I can't (and won't) read 
through 
the docs of every OAuth provider out there to look for peculiarities. 
Executable code 
that let's me reproduce the problem will help me fix this issue more quickly.

Meanwhile, please try the latest snapshot build I attached and check if it 
fixes your 
problem. There have been a quite many changes to the underlying code base 
lately.

Just tested with the latest Snapshot, and I don't get a 401.

Any chance that you're passing a callback URL but your application is not 
registered 
to be able to receive callbacks? Some OAuth providers send a 401 if you're 
trying to 
get a callback but your app is not set to be a web app.

Try calling provider.retrieveRequestToken with a callback value of 
OAuth.OUT_OF_BAND. 
If that gets rid of the 401 and you're running a Web app, please go to your app 
settings on vimeo.com and configure it to allow callbacks.

Hi Matthias-

Thanks very much for trying that out!  That was the one thing I didn't think to 
try, since as far as I can tell there 
is no way to change the app settings on Vimeo to allow callbacks, so I assumed 
it must allow them.

I will now post an issue to vimeo, since it's very inconvenient for the 
development process to not be able to use 
custom callbacks (specific to the developer's local machine..)

Although it's less important now, I did write up sample code to attach here, 
but you beat me to it :-)  I'll include 
it anyhow, it might be useful to you or someone else in the future.

Thanks again, 
  -Dave Fogel

Thanks. Yes, it occurred to me since Twitter does the same thing, and it looks 
as if 
Vimeo in fact uses the same OAuth implementation (judging by the URLs, I 
believe 
they're both Rails apps and use the Ruby OAuth gem).

As to the settings. It should work if you simply enter your callback URL during 
app 
registration:

"Application Callback URL -- This is the URL we'll send a user back to when 
authenticating. Leave this blank if your application is a desktop application."

Did you fill that out with your callback URL? If you didn't and then try to 
receive 
tokens over a callback, you will see that dratted 401.

Actually, we had already filled in a callback in the vimeo application 
settings.  It's just that we were 
requesting that same callback with the retrieveRequestToken call as well.  So 
Vimeo seems to be actively 
forbidding custom callback URLs, and returning a (very misleading "Bad 
Signature" 401 response when 
anything besides "oob" is passed as the callback.

Incidentally, we're passing a similar custom callback to Twitter, and they seem 
fine with it.  Maybe they're 
using a different version of the ruby library or something?

Altogether, we're finding it somewhat dismaying the extent to which different 
service providers seem to 
implement the oauth standard in different ways- it must drive you crazy!

(Also, we're about to try to integrate with Flickr, which seems to require an 
auth process almost exactly like 
OAuth, but not actually the same.  You'd think they'd change over to actually 
use the standard which they 
helped create!  Have you thought about adding a flickr mode to the signpost 
project?  I'm guessing you 
probably want to stick with straight oauth... :-)

Thanks again,
  -Dave Fogel

Haha, tell me about it! I really can be frustrating, but it's probably the spec 
which is to blame. In fact, there is 
currently an an IETF proposal (the "Hammer-draft") which aims to rewrite the 
OAuth standard using wording 
which is actually comprehensible by human beings. That should help in having a 
clear and solid basis for future 
implementations.

As to Flickr, no, I don't have any plans to do this. I'm actually surprised 
they haven't migrated to OAuth yet. After 
all, it was largely Flickr's auth standard which influenced the design behind 
OAuth.

I consider this fixed. Feel free to reopen if you still have problems.

Just a suggestion before running the attached example --- 

Modify the Static VIMEO URL values from 

private static final String VIMEO_REQUEST_TOKEN_URL = 
"http://www.vimeo.com/oauth/request_token";
private static final String VIMEO_ACCESS_TOKEN_URL = 
"http://www.vimeo.com/oauth/access_token";
private static final String VIMEO_AUTHORIZATION_URL = 
"http://www.vimeo.com/oauth/authorize?permission=read";

to

private static final String VIMEO_REQUEST_TOKEN_URL = 
"http://vimeo.com/oauth/request_token";
private static final String VIMEO_ACCESS_TOKEN_URL = 
"http://vimeo.com/oauth/access_token";
private static final String VIMEO_AUTHORIZATION_URL = 
"http://vimeo.com/oauth/authorize?permission=read";

For me using

String authUrl = provider.retrieveRequestToken(consumer,OAuth.OUT_OF_BAND);

is sending exception

Exception in thread "main" 
oauth.signpost.exception.OAuthNotAuthorizedException: Authorization failed 
(server replied with a 401). This can happen if the consumer key was not 
correct or the signatures did not match.
        at oauth.signpost.basic.DefaultOAuthProvider.retrieveToken(DefaultOAuthProvider.java:74)
        at oauth.signpost.AbstractOAuthProvider.retrieveRequestToken(AbstractOAuthProvider.java:66)