xiaoxiwu / oauth-dot-net Goto Github PK

What steps will reproduce the problem?
1. Generate a RequestToken and authorize it
2. Perform the steps to generate an AccessToken via the RequestToken
3. Attempt to generate a second AccessToken from the same RequestToken

What is the expected output? What do you see instead?
As I understand it, a consumer is meant to be able to generate an arbitrary
number of AccessTokens with the same RequestToken. The process to authorize
a RequestToken involves manual user interaction, which we only want once.

It turns out that the RequestToken is marked as "Used" after a single
AccessToken is generated from it. This is in the
AccessTokenHandler.IssueAccessToken method.

It might be useful if there was some mechanism to allow a single associated
AccessToken at a time, but I don't think that is what's happening here.

What version of the product are you using? On what operating system?
0.7.1.0

Please provide any additional information below.
It looks like the sample application "EchoServiceProvider" faced the same
issue and worked around it in the same fashion that I've taken. So this may
have been intentional for some reason...

The HmacSha1SigningProvider is vulnerable to a remote timing attack in the way 
the signatures are compared. Comparison needs to be done in a manner that will 
take a constant amount of time regardless of success or failure. You can read 
more about timing attacks at http://codahale.com/a-lesson-in-timing-attacks/. 
I've attached a patch that passed all the unit tests on my end.

What steps will reproduce the problem?
1. open the sln file 

What is the expected output? What do you see instead?
Expected: Project opens.  Instead: password prompt


What version of the product are you using? On what operating system?
0.5.0.0

Please provide any additional information below.

I have successfully authenticated the user and storing users token/secret in 
database. Now I need to pull the data for that user based on the token/secret 
that I have stored in the database. How can I do that? 

We used to save Token and Secret in our database but every time the FitBit asks 
user their Authentication and then followed by another window "Allow" and 
"Deny" to synch data.


Following is the code that we are using in our c# web application :

    that means :       response.HasProtectedResource =  null always


 const string ConsumerKey = "xxx";
            const string ConsumerSecret = "xxx";
            const string RequestTokenUrl = "http://www.fitbit.com/oauth/request_token";
            string AuthorizationUrl = "http://www.fitbit.com/oauth/authorize";
            const string AccessTokenUrl = "http://api.fitbit.com/oauth/access_token";
            const string ApiCallUrl = "http://api.fitbit.com/1/user/-/profile.xml";

            OAuthService service = OAuthService.Create(
                                   new EndPoint(RequestTokenUrl, "POST"),         // requestTokenEndPoint
                                   new Uri(AuthorizationUrl),                     // authorizationUri
                                   new EndPoint(AccessTokenUrl, "POST"),          // accessTokenEndPoint
                                   true,                                          // useAuthorizationHeader
                                   "http://api.fitbit.com",                       // realm
                                   "HMAC-SHA1",                                   // signatureMethod
                                   "1.0",                                         // oauthVersion
                                   new OAuthConsumer(ConsumerKey, ConsumerSecret) // consumer
                                   );

            OAuthRequest request = OAuthRequest.Create(
                                           new OAuth.Net.Consumer.EndPoint(ApiCallUrl, "GET"),
                                           service,
                                           this.Context.Request.Url,
                                         this.Session.SessionID);

            request.VerificationHandler = AspNetOAuthRequest.HandleVerification;
            OAuthResponse response = request.GetResource();
            if (!response.HasProtectedResource)
            {
                string authorizationUrl = service.BuildAuthorizationUrl(response.Token).AbsoluteUri;
                Response.Redirect(authorizationUrl);
            }



GetResource() method always returns HasProtectedResource = false. I need it to 
return true. I know I have to pass the token/secret but I need to know where. 

I have successfully authenticated the user and storing users token/secret in 
database. Now I need to pull the data for that user based on the token/secret 
that I have stored in the database. How can I do that? 

The current RSA-SHA1 signing provider does not support checking of
signatures at the service provider. This is because it is not defined how
it should load the consumer's key.

This will be required if service providers are to support the RSA-SHA1
signature method (from OAuth Core 1.0).

I want to connect a service called FatSecret below is am example Url to their 
REST api. Can I do that using oauth-dot-net, if so how!?
I've not found the docs very helpful.


http://platform.fatsecret.com/rest/server.api?food_id=33691&method=food.get&oaut
h_consumer_key=9a1a6fd1-fff5-433f-9dd7-7daa4587bf5d&oauth_nonce=1234&oauth_signa
ture=sAyYTJiIxOGkvFpBcH8L%2BlFQRCQ%3D&oauth_signature_method=HMAC-SHA1&oauth_tim
estamp=1245126631&oauth_version=1.0 

What steps will reproduce the problem?
1. Create a NVC that contains a null key
2. Pass into OAuthConsumerRequest.GetResource(NVC)
3. Wait for the dreaded NullRef exception

What is the expected output? What do you see instead?

It to send in an empty key, instead I'm seeing an exception

What version of the product are you using? On what operating system?

0.8.1.1

Please provide any additional information below.

I changed the sort to:

// Sort parameters into lexicographic order (by key and value)
@params.Sort(
    (left, right) =>
        {
            var leftKey = left.Key ?? String.Empty;
            var leftValue = left.Value ?? String.Empty;
            var rightKey = right.Key ?? String.Empty;
            var rightValue = right.Value ?? String.Empty;

            return leftKey.Equals(rightKey, StringComparison.Ordinal)
                ? string.Compare(leftValue, rightValue, StringComparison.Ordinal)
                : string.Compare(leftKey, rightKey, StringComparison.Ordinal);
        });


Sorry I could not generate a path file.

The spec is quite vague about HEAD, PUT, OPTIONS, DELETE. However, OAuth 
should support these HTTP methods: 
http://groups.google.com/group/oauth/browse_thread/thread/fdc0b11f2c4a8dc3/
62af21ed3da4af0e

Review changes needed to support these HTTP methods within the spec.

Should the code only parse the response for tokens if the status code is in
the 200 range?  and if so what should the request object report back to the
calling code?

What steps will reproduce the problem?
1. Sample Service Provider, default.asp.cs
2. wherever, each time you see there is a "+" in request string. It will be
parsed to " " on server side incorrectly. 
3. get signature_invalid

What is the expected output? What do you see instead?
"+" should be encode to %2b

What version of the product are you using? On what operating system?
0.71b

Please provide any additional information below.

The XML documentation is incomplete.

This method in OAuthRequestToken.cs throws a NullReferenceException when 
the AuthenticatedUser property is null, which is a valid state for a 
request token.

I am experiencing this error when the RequestTokenHandler process my 
callback URI.

public override int GetHashCode()
        {
            return this.Token.GetHashCode() ^ this.Secret.GetHashCode() ^ 
this.Status.GetHashCode()
                ^ this.ConsumerKey.GetHashCode() ^ 
this.AssociatedParameters.GetHashCode()
                ^ this.AuthenticatedUser.GetHashCode() ^ 
this.Roles.GetHashCode();
        }

OAuthException should be updated with at least
OAuthException.ThrowPermissionUnknown &
OAuthException.ThrowPermissionDenied to support new ProblemReporting types.

What version of the product are you using? On what operating system?
OAuth.Net-source-0.5.1.0

Please provide any additional information below.

protected virtual ICollection<IToken> GetByPredicate(...,...)

   if (matches.Count > 0)
   return null;
    else
   return new ReadOnlyCollection<IToken>(matches);

...should read "if(matches.Count ==0)"  :-)

What steps will reproduce the problem?
1. Add <add name="OAuthPipelineModule"
type="OAuth.Net.ServiceProvider.OAuthPipelineModule"/> to httpModules
2. Add an asp:UpdatePanel to a page in same project
3. Set a control inside panel (eg button) to postback 

What is the expected output? What do you see instead?
UpdatePanel postback fails and a JScript error
"Sys.WebForms.PageRequestManagerServerErrorException - code 500" appears

What version of the product are you using? On what operating system?
OAuth.Net-source-0.5.1.0

Please provide any additional information below.

Currently some of public types take hard dependencies on some hard-to-test 
framework types, e.g. OAuthParameters.Parse(HttpRequest)

These should be replaced with adaptors.

When smoke testing with the EchoService, I wanted to test out the Plaintext 
provider however it does not work.  I was able to figure out how to wire in 
the plaintext provider into the EchoService.  

The problem lies in the PlaintextSigningProvider.cs and the CheckSignature 
method.  The variable expectedSignature is Rfc3986 encoded while the 
variable actualSignature is Rfc3986 decoded resulting in the expected and 
actual signature never matching.  The solution is to comment out 
actualSignature creation and assignment and replace the last line with return 
expectedSignature == signature;.

Maybe I'm missing something? Seems to work like a charm though!  :)

I am building a c# desktop installed application to access Google calendar. I 
want to use OAuth Lib to get Access token for the Google user.

Here is my code

==================================================================

UnityContainer unityContainer = new UnityContainer();

UnityConfigurationSection section = 
(UnityConfigurationSection)ConfigurationManager.GetSection(“oauth.net.consumer
”);

section.Containers.Default.Configure(unityContainer);

ServiceLocator.SetLocatorProvider(() => new 
UnityServiceLocator(unityContainer));

OAuthConsumer oAuthConsumer = new OAuthConsumer(“anonymous”, 
“anonymous”, “My application”);
OAuthService oAuthService = OAuthService.Create(new 
EndPoint(“https://www.google.com/accounts/OAuthGetRequestToken”), new 
Uri(“https://www.google.com/accounts/OAuthAuthorizeToken”), new 
EndPoint(“https://www.google.com/accounts/OAuthGetAccessToken”), 
oAuthConsumer);

OAuthRequest oAuthRequest = OAuthConsumerRequest.Create(new 
EndPoint(GoogleCalendarFeed), oAuthService);

OAuthResponse oAuthResponse = oAuthRequest.GetResource();

======================================================================

Here is my App.config file

======================================================================
<configuration>
  <configSections>
    <section name="oauth.net.consumer" type="Microsoft.Practices.Unity.Configuration.UnityConfigurationSection, Microsoft.Practices.Unity.Configuration"/>
  </configSections>
  <oauth.net.consumer>
    <containers>
      <container>
        <types>
          <type type="OAuth.Net.Common.ISigningProvider, OAuth.Net.Common"
                 mapTo="OAuth.Net.Components.HmacSha1SigningProvider, OAuth.Net.Components"></type>
          <type type="OAuth.Net.Common.INonceProvider, OAuth.Net.Common"
                     mapTo="OAuth.Net.Components.GuidNonceProvider, OAuth.Net.Components" />
        </types>
      </container>
    </containers>
  </oauth.net.consumer>
</configuration>
=========================================================================

I am getting error "The remote server returned an error: (401) Unauthorized", 
when I call oAuthRequest.GetResource();


what am I doing wrong?

What is the best way to get access token in a installed application?

Thanks

To be able to run in most hosted environments it is necessary to tag the 
assemblies as allowing for partially trust, which is done in the assembly 
info like so:

[assembly: System.Security.AllowPartiallyTrustedCallers]

Martin

I do not know if somebody can help me.
I am trying to submit a token request using the OAuthBase.cs. 
I would like to know how/where can i Include the "scope" when trying to the 
signature using the GenerateSignature method.

Thanks,

This is the Google's example:

POST /accounts/OAuthGetRequestToken HTTP/1.1
Host: https://www.google.com
Content-Type: application/x-www-form-urlencoded
Authorization: OAuth
oauth_consumer_key="example.com",
oauth_signature_method="RSA-SHA1",
oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",
oauth_timestamp="137131200",
oauth_nonce="4572616e48616d6d65724c61686176",
oauth_version="1.0"

scope=http://www.google.com/calendar/feeds http://picasaweb.google.com/data

What steps will reproduce the problem?
1. Just run twitterclient sample code


What is the expected output? What do you see instead?
I should be able update status to my account. But when I use sample code, I
get 401 exception.

What version of the product are you using? On what operating system?
windows 2003, OAuth.net-Source-0.7.1.0

Please provide any additional information below.
The "CreatedDate" in status.cs is throwing an exception.
The "CreatedDate" in  ExtendedUser.cs is throwing an exception too.

There seems to be a problem with the 0.7.0.0 release when using the 
authorization header to provide the OAuth parameters from a consumer 
application.

Using the exact same code and providing the parameters via query string 
seems to work fine, so it appears to be a bug in the OAuth.Net.Components 
namespace, rather than something specific that I’m doing.

So far, I’ve noticed the problem in two places,  HmacSha1SigningProvider 
and MD5HashVerifierProvider. I get a [signature_invalid] error when 
checking the signature for a request or access token. Similarly, I get a 
[oauth_parameters_rejected, oauth_verifier] error if I implement a hack to 
workaround for the first error.

The errors are thrown from the HmacSha1SigningProvider.CheckSignature and 
MD5HashVerifierProvider.IsValid methods. For example, here’s what I can 
see when debugging the latter method:

verifier => HVlNt2MITzJsPSpkWFy8vw==
hash     => HVlNt2MITzJsPSpkWFy8vw%3D%3D

When using the query string to provide the parameters, the hash correctly 
evaluates to "HVlNt2MITzJsPSpkWFy8vw==" thus allowing things to continue 
as expected.

My guess is there is an issue with the OAuthParameters.ToHeaderFormat 
method and the Rfc3986 encoding – perhaps things are being double-encoded 
(i.e. both inside the ToHeaderFormat method and either before or after the 
method is called).

-Will
[email protected]

In particular discovery and Session extension.

Look at extension points in ServiceProvider assembly
 * e.g. before OAuth processing so that applications can perform rate
limiting  without having to have CPU overhead of validating parameters,
etc. first

Running OAuth.Net.Examples.TwitterClient on culture other than en-us
(pl-PL) causes FormatException on DateTime.ParseExact.

The solution is to change ExtendedUser.cs lines 088 and 089:
         this.CreatedDate = DateTime
                    .ParseExact(value, TwitterApi.DateFormat,
CultureInfo.InvariantCulture);

same modifictaion is required i Status.cs.

I attached a patch to current trunk rev 142

What steps will reproduce the problem?
1. Any kind of comparision of 2 OAuthRequestToken objects
2.
3.

What is the expected output? What do you see instead?
When comparing 2 OAuthRequestToken objects, Equals should evaluate to true
if the AssociatedParameters values are identical, even if they are not the
same object (assuming all other fields/properties are identical). But since
it uses a reference comparison to evaluate this, the objects will always
evaluate to not equal if the object. This refers to the OAuthRequestToken,
which, when checking equality of the OAuthParameters object, uses the
default Equals method. This is not overridden to provide value checking
rather than reference checking.

What version of the product are you using? On what operating system?
0.7.1.0

Please provide any additional information below.
This would be a problem if the OAuthRequestToken objects were re-created
from a data store, rather just set aside in memory, as with the InMemory
stores that are provided with the framework.

Your library looks like it only supports POST and GET methods for some
reason. Why is that? Am I missing something? 

In both of the Parse() methods:

 public static OAuthParameters Parse(HttpWebResponse response)
 public static OAuthParameters Parse(OAuthResource response)

The response gets HttpUtility.UrlDecode before splitting. This is incorrect
and causes problems with values that have encoded = and & in them.
Specifically, this causes problems with MySpace since their token seems to
have the extra padding on the end of the token.

Example of the data received from MySpace:

"oauth_token=7gX4FXjJ55oQYOMTe52UkiQMCUgpwR2JHlLibJhLr%2FfMp2uBUDVx2pox%2BnKa3tJ
vHoNrv0z%2B3WfvueAaizzKTA%3D%3D&oauth_token_secret=70b71404121f49618acee4a5bcd1e
8c9"

You can see the %3D%3D. In the current code. This will split and toss away
the "==" at the end of the token, making it invalid.

To correct this, something like this needs to be done. Split the items
first, and decode the data after the parameters are found.

                // fixing their code not to decode prematurely since that in fact is wrong
                // since there could be additional '&' characters in the data
                string decodedBody = bodyEncoding.GetString( ms.ToArray() );
                //string decodedBody = HttpUtility.UrlDecode(ms.ToArray(),
bodyEncoding);

                string[] nameValuePairs = decodedBody.Split(new char[] {
'&' }, StringSplitOptions.RemoveEmptyEntries);
                foreach (string nameValuePair in nameValuePairs)
                {
                    string[] nameValuePairParts = nameValuePair.Split(new
char[] { '=' }, StringSplitOptions.RemoveEmptyEntries);
                    if (nameValuePairParts.Length == 2)
                        bodyParams.Add(nameValuePairParts[0],
HttpUtility.UrlDecode( nameValuePairParts[1] ) );
                }

What steps will reproduce the problem?
1. Demo link not working
2.
3.

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?


Please provide any additional information below.

Reproducing the problem :
1. Creates an url rewriting, for instance '/resource/12' => 
'/resourceHandler.ashx?id=12'
2. Use the url '/resource/12'

Expected behavior :
Items added to query by url-rewriting should be ignored when generating 
signature.

Effective behavior :
Items added to query by url-rewriting are use to compute the signature

Version of the product used :
0.8.1.1

Operating system :
Windows Vista 64bits

Additional information :

Problem does not concern url path, but query parameters that may be appended to 
the url by url-rewriting mechanism. request.QueryString is based on 
request.Url, which is the rewritten url. Query part of request.RawUrl should be 
used instead.

Problem can be solved by replacing the OAuthParameters.Parse(HttpRequest 
request, OAuthParameterSources sources) method by the following :

public static OAuthParameters Parse(HttpRequest request, OAuthParameterSources 
sources)
{
        var queryString = HttpUtility.ParseQueryString(new Uri(request.Url, request.RawUrl).Query);
         return OAuthParameters.DoParse(request.Headers[Constants.AuthorizationHeaderParameter], request.Headers[Constants.WwwAuthenticateHeaderParameter], request.Form, queryString, sources, true);
}

What steps will reproduce the problem?
1. run Twitter Example
2. after authentication the page failed
3.

What is the expected output? What do you see instead?

Input string was not in a correct format.
Description: An unhandled exception occurred during the execution of the 
current web request. Please review the stack trace for more information about 
the error and where it originated in the code.

Exception Details: System.FormatException: Input string was not in a correct 
format.

Source Error:

Line 142:        {
Line 143:            XmlSerializer serializer = new 
XmlSerializer(typeof(ExtendedUser));
Line 144:            return (ExtendedUser)serializer.Deserialize(stream);
Line 145:        }
Line 146:    }


What version of the product are you using? On what operating system?
windows 7 OAuthNet-source-0.8.1.1.zip   Featured 

Please provide any additional information below.

Seems like this property should exist. For example, you have the following:

* CallbackStore
* ConsumerStore
* RequestIdValidator
* TokenGenerator
* TokenStore
* VerificationProvider
* GetSigningProvider(string signatureMethod)

But you are missing:

* NonceProvider

What steps will reproduce the problem?
1. Any kind of comparision of 2 OAuthRequestToken objects
2.
3.

What is the expected output? What do you see instead?
If the Roles property is an empty string array for each object, but the
string array is a different object for each, it should probably still
satisfy the Equals test. Instead, it is doing a reference comparison, so if
you have 2 different OAuthRequestTokens, they will fail equality every
time, regardless of the parameters matching. This isn't seen with the
standard InMemory stores, since the objects of a given comparison are
likely to reference the same object where the match is expected.

What version of the product are you using? On what operating system?
0.7.1.0

Please provide any additional information below.

>> What steps will reproduce the problem?

1. Use a sample that uses AspNetOAuthRequest and SessionRequestStateStore
2. Set the ASP.NET web.config to use SQLServer session state.  (StateServer is 
also likely to have the same problem.)
3. Run the sample.  At some point when AspNetOAuthRequest wants to store 
request tokens in the session, the site will crash.

>> What is the expected output? What do you see instead?

- I expected it to work.  Instead, I saw an exception from ASP.NET that 
specific classes from OAuth.Net weren't serializable.

>> What version of the product are you using? On what operating system?

- OAuth.Net v0.8.1.1 on Windows Server 2008 R2 with SQL Server 2008 R2 for 
session state storage.

>> Please provide any additional information below.

- Modifying the following two classes to have the [Serializable] attribute 
fixed the problem for me:

 OAuth.Net.Consumer.RequestState
 OAuth.Net.Consumer.RequestStateKey

I notice that OAuthToken was already marked [Serializable], so perhaps on these 
other classes lack of such was an oversight?  I suggest a future build ensure 
compatibility with out-of-process session state - such is common in web farm 
deployment scenarios.

BTW, thanks for software! Other than this problem that I've worked around, 
everything else so far worked as expected.

What steps will reproduce the problem?

1. Set a breakpoint on the return line of the
OAuth.Net.Compants.HMacSha1SigningProvider.CheckSignature method
2. Hit the "Echo service provider" example and click the "Getting an access
token" link.
3. If the signature contains a space, you will see the expectedSignature
and actualSignature values differ only by the encoding of the space. (NOTE:
if the signature doesn't contain a space, go back to step 2, refresh it to
generate new oauth params and repeat)

What steps will reproduce the problem?
1. Run TwitterAPI Application
2. Click Connect
3. Click Deny
4. Go Back to TwitterAPI Application

Optionally

1. Run TwitterAPI Application
2. Click Connect
3. Go Back to twitterAPI App without completing login
4. Click Connect

What is the expected output? What do you see instead?
Expect to see service denied page. See Object Reference Error

What version of the product are you using? On what operating system?
0.8.1.1

Please provide any additional information below.
Maybe it should handle the denied response to clear the request token?

I think there is a bug with the OAuthParameters constructor. It looks like 
you forgot to add the following line:
this.Verifier = null;

This causes a KeyNotFoundException if you try to check or access the 
OAuthParameters.Verifier property before it has been set somewhere else.  
I would expect the initial value to be null (like the other properties in 
the class), but instead I get the exception.

For example, you can plainly see this issue when viewing a new instance of 
the OAuthParameters class in the debugger.

-Will
[email protected]