artstalker / devdefined-tools Goto Github PK

What steps will reproduce the problem?
1. use oauth with header based authentication
2. characters at the provider side are not urldecoded
3.

What is the expected output? What do you see instead?
exception that the oauth_verifier is rejected, while the different is because 
of the missing decoding

What version of the product are you using? On what operating system?


Please provide any additional information below.
See the attachment which is a patch to fix this issue.

Hi,
I'm using DevDefined.OAuth .Net APIs for authorization. I went thru few forums 
and understand that if content-type = "application/x-www-form-urlencoded", then 
request body should be passed for signing. My request body will have current 
system time.

CreateTime :BEFORE: 2012-02-09T00:00:00-08:00

While signing, this is encrypted as 
"CreateTime%20%3ABEFORE%3A%202012-02-09T00%3A00%3A00-08%3A00", and my service 
request is working perfectly. However when I try to use any timezone which have 
"+" symbol [ ex : UTC + 05:00 ] i'm getting "signature_invalid" exception 
message.

The reason behind is "+" sign is encrypted as "%2B", but "-" is NOT encrypted.

Original Request Body : CreateTime :BEFORE: 2012-02-09T00:00:00-08:00
Encrypted string  :CreateTime%20%3ABEFORE%3A%202012-02-09T00%3A00%3A00-08%3A00
Result : Working fine.

Original Request Body : CreateTime :BEFORE: 2012-02-09T00:00:00+05:00
Encrypted string  :CreateTime%20%3ABEFORE%3A%202012-02-09T00%3A00%3A00%2B05%3A00
Result : "signature_invalid" exception.

Any help?

What steps will reproduce the problem?
1. use the SignatureMethod.HmacSha1 method

What is the expected output? What do you see instead?
class DevDefined.OAuth.Framework.UriUtility 
    static QueryParameter ParseAuthorizationHeaderKeyValuePair(string value)
    {
      if (value.IndexOf('=') > -1)
      {
        string[] temp = value.Split('=');
        return new QueryParameter(temp[0].Trim(), StripQuotes(temp[1]));
      }
      return new QueryParameter(value.Trim(), string.Empty);
    }
If there is "=" in signature ,for example
"auth_signature=\"uZF3aYQFtyK0F1FFHY+w7/Be+m4=\""
expect:
  string[] temp ={"auth_signature","uZF3aYQFtyK0F1FFHY+w7/Be+m4="}
But I get
  string[] temp ={"auth_signature","\"uZF3aYQFtyK0F1FFHY+w7/Be+m4"}

What version of the product are you using? On what operating system?
Last trunk

Using the latest source in TRUNK.

When accessing a protected resource the library sends the
oauth_token_secret in the URI, or in the case of header based
authentication its sends it in the header.

oauth_token_secret should not be included in any requests to the provider
[1], this data is sensitive, and in the case of desktop applications where
the consumer secret is not secure it would allow an attacker to obtain
access to protected resources.

--- OAuth HTTP Request with the library ---
GET /statuses/friends_timeline.xml?count=50&since_id=1 HTTP/1.1
Authorization: OAuth
oauth_token="10471832-XMtqq0fl5bpFI5aiJjeopon4QpL9jcwRBwspyf...",oauth_token_sec
ret="vAwMlDtkbtkjxjtZhz8x3ngw4Vk3ZmvpHDAhVuMw",oauth_nonce="ac4cdbe3-98db-4017-a
9b3-e62ceb5eaf17",oauth_consumer_key="OxuuZnHZuTr6ZxjrL3yzQ",oauth_signature_met
hod="HMAC-SHA1",oauth_timestamp="1237476772",oauth_version="1.0",oauth_signature
="j29o0oSQhwW5yel7Vb9L7AeI8ks%3D"
Host: twitter.com
Connection: Keep-Alive
--- End of Request ---

I worked around this by editing line 235 and line 291 of OAuthContext.cs to
exclude Parameters.OAuth_Token_Secret:
AuthorizationHeaderParameters.ToQueryParameters().Where(q => q.Key !=
Parameters.Realm && q.Key != Parameters.OAuth_Token_Secret)

1. http://oauth.net/core/1.0/#anchor13

What steps will reproduce the problem?
1. Do a HTTP Post with Authorization Header
2.
3.

What is the expected output? What do you see instead?
Signature should be valid. Exception thrown that the Consumer Key is null.

What version of the product are you using? On what operating system?
Can't recall the version number, Win 2K3

Please provide any additional information below.

Please make IToken serializable

The PlainTextSignatureImplementation does an UriUtility.UrlEncode(..) for
the signature. 
But the UriEncode.UrlEncode(..) is also called when adding the information
to the header of the request.

For support for e.g. .net webservice using oAuth, i need to pass raw xml to the 
body of the request. This is not yet supported by Devdefined. 

The attachment shows the patch how you can easily include the possibility to 
enable passing raw content and the content type.

What steps will reproduce the problem?
1. Use 2 way auth with X509 certificate
2. Make an invalid request to a server with valid credentials 
3. Server returns error 400 with a response body (in my case xml describing
the error)
4. In the catch section, attempt to use the following code

 if (ex.Response != null)
            {



                using (StreamReader streamReader = new
StreamReader(ex.Response.GetResponseStream()))
                {
                    Response = streamReader.ReadToEnd();
                }



                if (ex.Response is HttpWebResponse)
                {
                    StatusCode = ((HttpWebResponse)ex.Response).StatusCode;
                }
}

What is the expected output? What do you see instead?

I expect the ability to read from the stream.  I get an exception instead

What version of the product are you using? On what operating system?
Latest trunk


Please provide any additional information below.

This appears to be a bug from the implementation of WebExceptionHelper.cs.
 The helper reads the content stream before the exception is re-thrown to
the caller.  As a result, the stream has been read to the end, and I'm
unable to retrieve the data I need.  I'll be modifying the exception helper
to resolve this issue.

The OAuth 1.0a advisory was made in April/June - we need to update the
implementation to (optionally) support these changes, while still remaining
backward compatible with OAuth 1.0 implementations as well.

Originally reported by a library user via email - details as follows:

Hi Alex,

Hope you don’t mind some random punter emailing you about the OAuth code
you created.. 

Thanks for the code by the way, I was trying to do something similar but
you saved me a load of time.

I just have a quick query.. I am trying to get the RSA Implementation to
work but the validation keeps failing.

I copied the way you outlined in the google groops
(http://code.google.com/p/devdefined-tools/wiki/OAuthSignatureValidation)
and this is what I ended up with..

(I must add that I am using a local certificate I got from friendster and I
don’t have a consumer secret.)

OAuthContext context = new OAuthContextBuilder().FromHttpRequest(Request);

OAuthContextSigner signer = new OAuthContextSigner();

SigningContext signingContext = new SigningContext();

X509Certificate2 x509 = new
X509Certificate2(Server.MapPath("/Certs/friendster.crt"));

signingContext.Algorithm = (RSACryptoServiceProvider)x509.PublicKey.Key; 
// if a certificate is associated with the consumer (for RSA-SHA1 etc.)

signingContext.ConsumerSecret = ""; // if there is a consumer secret


if (!signer.ValidateSignature(context, signingContext))
{
.
.
.


It seems quite straight forward but I can’t seem to get the signature to
validate correctly.. I also don’t have the private key, which means (i
think) that I can’t recreate the signature to help me test and find out
where I’m going wrong.


Anyways, any suggestions would be very much appreciated.. thanks again for
the code.

Kind regards,

Eoin

PollDaddy.com

What steps will reproduce the problem?
1. Submit a post with form fields where one form field is named UserId and 
another is named action.  Case is important. 

What is the expected output? What do you see instead?

When the signature is constructured, the UserId parameter and value must come 
before the action parameter.  This is not the case in the current 
implementation.

What version of the product are you using? On what operating system?


Please provide any additional information below.

Change UriUtility.cs with the below:

    /// <summary>
    /// Normalizes a sequence of key/value pair parameters as per the OAuth core specification.
    /// </summary>
    /// <param name="parameters"></param>
    /// <returns></returns>
    public static string NormalizeRequestParameters(IEnumerable<QueryParameter> parameters)
    {
      List<QueryParameter> orderedParameters = parameters
        .Select(
        x => new QueryParameter(x.Key, UrlEncode(x.Value))).ToList();
      orderedParameters.Sort(SignatureBaseStringParameterComparer);
      var builder = new StringBuilder();

      foreach (var parameter in orderedParameters)
      {
        if (builder.Length > 0) builder.Append("&");

        builder.Append(parameter.Key).Append("=").Append(parameter.Value);
      }

      return builder.ToString();
    }


    private static int SignatureBaseStringParameterComparer(QueryParameter left, QueryParameter right)
    {
        int result = string.CompareOrdinal(left.Key, right.Key);
        if (result != 0)
        {
            return result;
        }

        return string.CompareOrdinal(left.Value, right.Value);
    }

There's an issue with HttpWebRequest, in some environments (misconfigured 
environments?), the first request on a HttpWebRequest instance takes 
disproportional long, up to 30 and more seconds.

The problem seems to be the automatic proxy detection that HttpWebRequest 
implicitly does.

I attached a patch that completely disables the proxy detection (sets the 
HttpWebRequest.Proxy property to NULL).
This does the trick and the first request doesn't take longer than any other 
request anymore.

Hope someone saves some time with this :)

Best Regards,
André

Hi,
I'm new bee. started using OAuth for my website. After 1 minute my session is 
expiring.

How to increase the access token Expiry to 30mins?

Please help..!

Thanks in Advance.