Back to OAuth General Discussion YDN SDKs Forum
0

Getting request token

Hi,

I need to confirm something. I'm using a php library ( http://code.google.com/p/oauth-php/wiki/ConsumerHowTo ) to do OAuth. When asking for the request token ( https://api.login.yahoo.com/oauth/v2/get_request_token ) the library sends the parameters ( consumer secret, oauth version etc. ) in the header. The documentation ( http://developer.yahoo.com/oauth/guide/oauth-auth-flow.html ) says that the supported methods are GET and POST. Does this mean that we're allowed to only send the parameters as GET or POST? Is it ok to not send anything via GET/POST and instead keep it in the header? What I'm told is that as per the OAuth specs, the header is the first place that should be checked for the parameters. ( http://oauth.net/core/1.0/#rfc.section.5 )

Thanks in advance.

by
Report Abuse
16 Replies
  • QUOTE (Anirudh S @ Feb 25 2009, 12:49 AM) <{POST_SNAPBACK}>
    Does this mean that we're allowed to only send the parameters as GET or POST? Is it ok to not send anything via GET/POST and instead keep it in the header? What I'm told is that as per the OAuth specs, the header is the first place that should be checked for the parameters. ( http://oauth.net/core/1.0/#rfc.section.5 )

    Thanks in advance.


    I sent a request with this header :
    CODE
    Authorization: oauth_version="1.0", oauth_signature_method="HMAC-SHA1", oauth_signature="some signature", oauth_nonce="some nonce", oauth_timestamp="1235553049", oauth_token="", oauth_consumer_key="some consumer key", oauth_version="1.0"


    There was no query sent - POST or GET. The result that was returned is -
    CODE
    HTTP/1.1 401 Authorization Required
    Date: Wed, 25 Feb 2009 09:12:13 GMT
    P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
    WWW-Authenticate: OAuth oauth_problem=parameter_absent&oauth_parameters_absent=oauth_consumer_key,oauth_signature_method,oauth_sign
    ature,oauth_timestamp,oauth_nonce
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: application/x-www-form-urlencoded

    oauth_problem=parameter_absent&oauth_parameters_absent=oauth_consumer_key,oauth_signature_method,oauth_sign
    ature,oauth_timestamp,oauth_nonce


    Can anyone give a hint - what could the problem be?
    Report Abuse
    0
  • You're missing the "OAuth" part of the Authorization header. Your header should look like this:

    Authorization: OAuth name1="value1", name2="value2", ...

    Try adding the "OAuth" part above.
    Report Abuse
    0
  • QUOTE (Ryan Kennedy @ Feb 25 2009, 10:43 AM) <{POST_SNAPBACK}>
    You're missing the "OAuth" part of the Authorization header. Your header should look like this:

    Authorization: OAuth name1="value1", name2="value2", ...

    Try adding the "OAuth" part above.


    For more details, see the OAuth spec section regarding passing OAuth credentials in the Authorization header (http://oauth.net/core/1.0/#auth_header).
    Report Abuse
    0
  • QUOTE (Ryan Kennedy @ Feb 25 2009, 10:44 AM) <{POST_SNAPBACK}>
    For more details, see the OAuth spec section regarding passing OAuth credentials in the Authorization header (http://oauth.net/core/1.0/#auth_header).

    Thanks. I'll check it out. Right now I get an "invalid realm" error. Let me take a look
    Report Abuse
    0
  • Hi,

    I had removed the OAuth part of the Authorization header accidently. I was getting 'Invalid realm specified in the Authorization header' errors, which prompted me to change the code and cause the accident earlier.

    Now I made some minor modifications and set the header as
    CODE
    Authorization: OAuth oauth_signature_method="HMAC-SHA1", oauth_signature="some sign", oauth_nonce="49a60659368de", oauth_timestamp="1235617369", oauth_token="", oauth_consumer_key="some consumer key", oauth_version="1.0"


    No query is sent as GET or POST.
    The response I get is :
    CODE
    HTTP/1.1 401 Authorization Required
    Date: Thu, 26 Feb 2009 03:03:25 GMT
    P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
    WWW-Authenticate: OAuth oauth_problem=parameter_absent&oauth_parameters_absent=oauth_consumer_key,oauth_signature_method,oauth_sign
    ature,oauth_timestamp,oauth_nonce
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: application/x-www-form-urlencoded

    oauth_problem=parameter_absent&oauth_parameters_absent=oauth_consumer_key,oauth_signature_method,oauth_sign
    ature,oauth_timestamp,oauth_nonce


    I checked out the specification link you had given and the format there is -
    CODE
     Authorization: OAuth realm="http://sp.example.com/",
                    oauth_consumer_key="0685bd9184jfhq22",
                    oauth_token="ad180jjd733klru7",
                    oauth_signature_method="HMAC-SHA1",
                    oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",
                    oauth_timestamp="137131200",
                    oauth_nonce="4572616e48616d6d65724c61686176",
                    oauth_version="1.0"

    The token is empty at this stage (get request token). I do not provide a realm either. But the error message says something else entirely. What went wrong then?
    Report Abuse
    0
  • QUOTE (Anirudh S @ Feb 25 2009, 07:15 PM) <{POST_SNAPBACK}>
    Now I made some minor modifications and set the header as
    CODE
    Authorization: OAuth oauth_signature_method="HMAC-SHA1", oauth_signature="some sign", oauth_nonce="49a60659368de", oauth_timestamp="1235617369", oauth_token="", oauth_consumer_key="some consumer key", oauth_version="1.0"


    Are you positive that your client is sending the header to the server?
    Report Abuse
    0
  • Hi,

    I changed the url from https:// to http://api.login.yahoo.com/oauth/v2/get_request_token so I could check with wireshark. The header seems to be set. This is what I got from wireshar :
    CODE
    [truncated] Authorization: OAuth oauth_signature_method="HMAC-SHA1", oauth_signature="zpqDuFA%2BHFvUV%2BYebMhbcJ%2BUr1o%3D", oauth_nonce="49a627f6b0b79", oauth_timestamp="1235625974", oauth_token="", oauth_consumer_key="consumer key


    This should be good enough to confirm, right?
    Report Abuse
    0
  • You will need to include the request token key in your Authorization header to get_token.

    If you don't have a request or access token key, 'oauth_token' shouldn't be included in the header, even if blank.
    Report Abuse
    0
  • QUOTE (basictheory @ Feb 25 2009, 09:49 PM) <{POST_SNAPBACK}>
    You will need to include the request token key in your Authorization header to get_token.

    If you don't have a request or access token key, 'oauth_token' shouldn't be included in the header, even if blank.

    I tried this :
    CODE
    Authorization: OAuth oauth_signature_method="HMAC-SHA1", oauth_signature="68nmYsTfT%2Fqzw%2BFyvO4jTb2ZNus%3D", oauth_nonce="49a6322fa5f72", oauth_timestamp="1235628591", oauth_consumer_key="key", oauth_version="1.0"

    and got this
    CODE
    HTTP/1.1 401 Authorization Required
    Date: Thu, 26 Feb 2009 06:11:33 GMT
    P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
    WWW-Authenticate: OAuth oauth_problem=parameter_absent&oauth_parameters_absent=oauth_consumer_key,oauth_signature_method,oauth_sign
    ature,oauth_timestamp,oauth_nonce
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: application/x-www-form-urlencoded

    oauth_problem=parameter_absent&oauth_parameters_absent=oauth_consumer_key,oauth_signature_method,oauth_sign
    ature,oauth_timestamp,oauth_nonce
    Report Abuse
    0
  • Hello,

    I am one of the maintainers of the OAuth-PHP library.
    Anirudh also consulted us about the problems he encountered when authenticating against Yahoo! using OAuth.

    I am a bit confused about the discussion till now. What I would like is some definitive answers regarding the request_token handling by Yahoo!.

    Questions:
    1. Does Yahoo! find request_token requests with a realm parameter in the Authentication request invalid?
    2. Does Yahoo! find request_token requests with an empty oauth_token parameter invalid?
    3. Are there any more peculiarities with Yahoo! implementation of OAuth?

    Ad 1.

    http://tools.ietf.org/html/rfc2617#section-1.2 suggests that "The realm directive (case-insensitive) is required for all
    authentication schemes that issue a challenge.", so I did expect a realm directive in the 401 response.

    Ad 2.

    We didn't discover any other libraries that find the presence of an empty oauth_token in the request uri a problem. On the contrary, I remember we encountered libraries that do find the omission of the parameter (with the request_token request) a problem.

    - Marc
    Report Abuse
    0
  • @marcwok

    Question #1) Yes, if the realm is sent and is empty it is considered in valid (ie: realm=""). The solution is to not specify realm at all or to specify realm="yahooapis.com".
    Question #2) No (AFAIK)
    Question #3) Some APIs only work with uri parameters, while most accept headers. We also do not support signature_method = rsa

    QUOTE (marcwok @ Feb 26 2009, 01:35 AM) <{POST_SNAPBACK}>
    Hello,

    I am one of the maintainers of the OAuth-PHP library.
    Anirudh also consulted us about the problems he encountered when authenticating against Yahoo! using OAuth.

    I am a bit confused about the discussion till now. What I would like is some definitive answers regarding the request_token handling by Yahoo!.

    Questions:
    1. Does Yahoo! find request_token requests with a realm parameter in the Authentication request invalid?
    2. Does Yahoo! find request_token requests with an empty oauth_token parameter invalid?
    3. Are there any more peculiarities with Yahoo! implementation of OAuth?

    Ad 1.

    http://tools.ietf.org/html/rfc2617#section-1.2 suggests that "The realm directive (case-insensitive) is required for all
    authentication schemes that issue a challenge.", so I did expect a realm directive in the 401 response.

    Ad 2.

    We didn't discover any other libraries that find the presence of an empty oauth_token in the request uri a problem. On the contrary, I remember we encountered libraries that do find the omission of the parameter (with the request_token request) a problem.

    - Marc
    Report Abuse
    0
  • 1) As of today, the request_token API requires the realm to be "yahoo.com" or absent. We will be updating the request_token API to IGNORE any value later this month.

    2) Why would a Consumer want to pass an oauth_token value to the request_token API?

    3) OAuth is very new, we'd be happy to hear from developers who report any peculiarities with our service. Our goal is to make it as easy as possible for developers to use our service.


    QUOTE (marcwok @ Feb 26 2009, 01:35 AM) <{POST_SNAPBACK}>
    Hello,

    I am one of the maintainers of the OAuth-PHP library.
    Anirudh also consulted us about the problems he encountered when authenticating against Yahoo! using OAuth.

    I am a bit confused about the discussion till now. What I would like is some definitive answers regarding the request_token handling by Yahoo!.

    Questions:
    1. Does Yahoo! find request_token requests with a realm parameter in the Authentication request invalid?
    2. Does Yahoo! find request_token requests with an empty oauth_token parameter invalid?
    3. Are there any more peculiarities with Yahoo! implementation of OAuth?

    Ad 1.

    http://tools.ietf.org/html/rfc2617#section-1.2 suggests that "The realm directive (case-insensitive) is required for all
    authentication schemes that issue a challenge.", so I did expect a realm directive in the 401 response.

    Ad 2.

    We didn't discover any other libraries that find the presence of an empty oauth_token in the request uri a problem. On the contrary, I remember we encountered libraries that do find the omission of the parameter (with the request_token request) a problem.

    - Marc
    Report Abuse
    0
  • QUOTE (Anirudh S @ Feb 25 2009, 10:13 PM) <{POST_SNAPBACK}>
    I tried this :
    CODE
    Authorization: OAuth oauth_signature_method="HMAC-SHA1", oauth_signature="68nmYsTfT%2Fqzw%2BFyvO4jTb2ZNus%3D", oauth_nonce="49a6322fa5f72", oauth_timestamp="1235628591", oauth_consumer_key="key", oauth_version="1.0"

    and got this
    CODE
    HTTP/1.1 401 Authorization Required
    Date: Thu, 26 Feb 2009 06:11:33 GMT
    P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
    WWW-Authenticate: OAuth oauth_problem=parameter_absent&oauth_parameters_absent=oauth_consumer_key,oauth_signature_method,oauth_sign
    ature,oauth_timestamp,oauth_nonce
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: application/x-www-form-urlencoded

    oauth_problem=parameter_absent&oauth_parameters_absent=oauth_consumer_key,oauth_signature_method,oauth_sign
    ature,oauth_timestamp,oauth_nonce



    Hi Anirudh Did you find a short term hack around this problem? I have been chasing it around for a day, I have tried the suggested hacks below but to no success. I find the library works fine with google (blogger, youtube) Oauth services.
    Report Abuse
    0
  • Hi Marc

    Is there a short term hack we can implement to make the library work while we await the yahoo SP implementation changes of OAuth?


    Cheers


    James
    Report Abuse
    0
  • I was not able to get request and access tokens when passing OAuth parameters in Authorization header.

    But it works fine when passing OAuth parameters as URL parameters (ordinary key value pairs) without specifying Authorization header. Just as in Yahoo examples use following url:

    https://api.login.yahoo.com/oauth/v2/
    get_request_token?oauth_nonce=ce2130523f788f313f76314ed3965ea6
    &oauth_timestamp=1202956957
    &oauth_consumer_key=123456891011121314151617181920
    &oauth_signature_method=plaintext
    &oauth_signature=abcdef
    &oauth_version=1.0
    &xoauth_lang_pref="en-us"

    You are also missing header property realm="yahooapi.com":

    Authorization: OAuth
    realm="yahooapis.com",
    oauth_consumer_key="blah"
    other_oauth_properties
    Report Abuse
    0
  • Good plan. What I am shaky on is where to implement these hacks into the code ie. in what library files?

    Here is what I think I need to hack at but could you provide detailed guidance?


    library/OAuthRequestSigner.php

    Code lines where I add [ You are also missing header property realm="yahooapi.com": ]

    $this->setParam('oauth_signature_method',$signature_method);
    $this->setParam('oauth_signature', '');
    $this->setParam('oauth_nonce', !empty($secrets['nonce']) ? $secrets['nonce'] : uniqid(''));
    $this->setParam('oauth_timestamp', !empty($secrets['timestamp']) ? $secrets['timestamp'] : time());
    $this->setParam('oauth_token', $token);
    $this->setParam('oauth_consumer_key', $secrets['consumer_key']);

    $this->setParam('realm', 'yahooapi.com']);


    library/OAuthRequester.php

    is this where I hardwire in these values?

    https://api.login.yahoo.com/oauth/v2/
    get_request_token?oauth_nonce=ce2130523f788f313f76314ed3965ea6
    &oauth_timestamp=1202956957
    &oauth_consumer_key=123456891011121314151617181920
    &oauth_signature_method=plaintext
    &oauth_signature=abcdef
    &oauth_version=1.0
    &xoauth_lang_pref="en-us"

    Cheers James
    Report Abuse
    0
Ask a Question

Recent Posts

in OAuth General Discussion YDN SDKs