Hey Guys, I found the problem. Let me explain what´s going on:
Opening /src/gadgets/oauth/OAuth.php, function get_signature_base_string(), the function $this->get_normalized_http_method() is returning "", while OAuth returns "GET" or "POST". Digging a bit more, I discovered that Shindig is using the function OAuthRequest::from_consumer_and_token, passing $http_method as "". Looking over the signed request example described on opensocial wiki : http://wiki.opensocial.org/index.php?title=Validating_Signed_Requests , the function called is OAuthRequest::from_request, which initializes $http_method with *...@$http_method or $http_method = $_SERVER['REQUEST_METHOD'];* There´s one string "GET" , being appended on base string, and then the signature is generated. It doesn´t happen on Shindig and the base strings are differents, so it will always return FALSE. I´ve patched my code to make it work, but dont know for sure, who´s responsible for the fault. Any comments ? 2009/3/24 Robson Dantas <biu.dan...@gmail.com> > Hi Guys! > > After reading shindig/php/certs/README, i tried to setup signed requests > using shindig+partuza. I´m using windows XP, wamp stack (php 5.2.8, apache > 2.2), latest svn version of shindig and partuza, and openssl for windows to > generate the keys (http://www.openssl.org/related/binaries.html). > > Everything worked fine, except the key validation. I´m using OAuth rev 526 > to validate it but it´s not working. The same code validates Orkut signed > requests. > > I´m feeling that the problem is related to key generation. Is that ok to > use this utility ? I´m printing some results I got using firebug. > > http:\/\/127.0.0.1\/gadget/action.php?nocache=1237906077768": > > [oauth_nonce] => a4889f1b1fe3ea860fb751b612552f5a > [oauth_timestamp] => 1237906077\n > > [oauth_consumer_key] => robson\n > [container] => robson\n > [action] => listUser\n > [opensocial_owner_id] => 3\n > [opensocial_viewer_id] => 3\n > [opensocial_app_id] => 1\n > > [oauth_token] => \n > [xoauth_signature_publickey] => http:\/\/shindig\/public.cer\n > [oauth_signature_method] => RSA-SHA1\n > [oauth_signature] => > 1Gg1sFcVJKBOkuuFETlCeNarYCOGUb1\/omV5HokGpx9uS\/WyjB4L8I2AZBn2GMC53QjDBM9gdCV8E346GzEl2c1 > > +VrH4045ou728yd8ihHQRVVg8482I1FN9y5uz1Ks3RBomBu+hoSQa5Z3qKcCIurLdpluQGhJLmnNFzH\/mVO0=\n > [nocache] => 1237906077768\n > > [rawpost] => \n > [oauth_validation] => Failed > > > Just to re-check: > > a) pointing the browser to http://shindig/public.cer, gives me my public > certificate, generated by openssl. > b) changing the private_keyphrase on container.php gives me an error ( > expected, of course) > > Tks, > > -Robson >
