Skip Menu |

This queue is for tickets about the Net-OAuth CPAN distribution.

Report information
The Basics
Id: 47369
Status: resolved
Priority: 0/
Queue: Net-OAuth

Owner: kgrennan [...]
Requestors: cosimo [...]

Bug Information
Severity: Normal
Broken in: 0.18
Fixed in: (no value)

I'm almost done implementing an OAuth provider, starting to test some real world application. Right now I'm using the javascript demo here: in particular, the "get request token" part. I see that the provided examples work. When I try with my own provider, it doesn't work. My provider signature verification is based on Net::OAuth. The only difference that I can see between the generated signature and the request one is that the base string is missing "oauth_version". The javascript library in the example does *not* include oauth_version in the arguments, and it doesn't include it also in the base string, while Net::OAuth does by default, even if the request has no oauth_version, because optional. I will try to investigate a bit more on this, to see if it's a problem that I am introducing in some obscure way. Reading the OAuth specs, it seems that oauth_version should *not* be included if it's not present in the request, but then I wonder why others using Net::OAuth don't have this problem.
Download (untitled) / with headers
text/plain 1.4k
Going into a bit more detail, it seems to me that the relevant code is in gather_message_parameters(): 130 sub gather_message_parameters { 131 my $self = shift; 132 my %opts = @_; 133 $opts{quote} = "" unless defined $opts{quote}; 134 $opts{params} ||= []; 135 my %params; 136 foreach my $k (@{$self->required_message_params}, @{$self- Show quoted text
>optional_message_params}, @{$opts{add}}) {
137 next if $k eq 'signature' and (!$self->sign_message or ! grep ($_ eq 'signature', @{$opts{add}})); 138 my $message_key = $self->is_extension_param($k) ? $k : OAUTH_PREFIX . $k; 139 $params{$message_key} = $self->$k; 140 } 141 if ($self->{extra_params} and !$opts{no_extra} and $self- Show quoted text
>allow_extra_params) {
142 foreach my $k (keys %{$self->{extra_params}}) { 143 $params{$k} = $self->{extra_params}{$k}; 144 } 145 if ($self->can('request_url')) { 146 my $url = $self->request_url; 147 _ensure_uri_object($url); 148 foreach my $k ($url->query_param) { 149 $params{$k} = $url->query_param($k); 150 } 151 } 152 } In particular, here: 136 foreach my $k (@{$self->required_message_params}, @{$self- Show quoted text
>optional_message_params}, @{$opts{add}}) {
the optional params (for example "oauth_version") are included even if they were missing from the original request. Can this cause the signature mismatch I'm experiencing?
Download (untitled) / with headers
text/plain 177b
Yeah, that's definitely the problem. What method are you using to create the message object? Could you paste a sample of the provider code that uses Net::OAuth? Thanks, Keith
Download (untitled) / with headers
text/plain 899b
On Ven. 26 Giu. 2009 11:42:28, KGRENNAN wrote: Show quoted text
> Yeah, that's definitely the problem. What method are you using to > create the message object? Could you paste a sample of the provider > code that uses Net::OAuth?
This is the failing case. Note the absence of "oauth_version=1.0" from here. Adding oauth_version from the JS library makes everything work. my $req_obj = Net::OAuth->request('request_token')->from_hash( { # This data comes from the javascript example I mentioned oauth_consumer_key => 'demo_key', oauth_nonce => 'NpOBlV', oauth_timestamp => '1246036201', oauth_signature_method => 'HMAC-SHA1', oauth_signature => '8CKEAX9ElpgHvJVGVrtyYHIumME=', }, consumer_secret => 'demo_secret', request_method => 'GET', request_url => '', ); if (! $req_obj->verify()) { return "Something wrong"; }
Download (untitled) / with headers
text/plain 544b
Fixed in Net::OAuth 0.19 (will be up on CPAN shortly, or get it from Now when you use from_hash(), from_authorization_header(), from_url() or from_post_body(), the oauth_version parameter is not automatically added. However it is added if you use new() directly, to be backwards compatible. Thanks for the bug report - really appreciate it - I haven't heard from many people implementing OAuth providers using Net::OAuth, so I'm eager to get more feedback from you if you run into other problems.

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

Please report any issues with to