[jira] Created: (SHINDIG-447) makeRequest - Signed request cannot be verified because of base_string inconsitency

Sat, 12 Jul 2008 08:04:26 -0700 

makeRequest - Signed request cannot be verified because of base_string 
inconsitency
-----------------------------------------------------------------------------------

                 Key: SHINDIG-447
                 URL: https://issues.apache.org/jira/browse/SHINDIG-447
             Project: Shindig
          Issue Type: Bug
          Components: Common Components (PHP)
            Reporter: Karsten Beyer


When doing a signed request with makeRequest, the generated signature cannot be 
verified, because different base_strings are used. 

I used the method described for Orkut 
(http://code.google.com/p/opensocial-resources/wiki/OrkutValidatingSignedRequests)
 to verify the signature on the requested page. When logging the base_string on 
both sides, i detected, that the signOwner and signViewer parameters are used 
for the base_string, but are not part of the request that the proxy does to the 
target page: 

base_string build by shindig:
GET&http%3A%2F%2Fopensocialapps.kbsilver%2Flog.php&container%3Dazubister%26oauth_consumer_key%3Dnot%2520implemented%26oauth_nonce%3D68d2fedb1b405f426e0b5d6aa90893bb%26oauth_signature_method%3DRSA-SHA1%26oauth_timestamp%3D1215874245%26oauth_token%3D%26opensocial_app_id%3D25%26opensocial_owner_id%3DQ3czQ1B2SytHbVU0ZXJEOXRwOTJHdz09%26opensocial_viewer_id%3DQ3czQ1B2SytHbVU0ZXJEOXRwOTJHdz09%26signOwner%3Dtrue%26signViewer%3Dtrue%26synd%3Dazubister%26xoauth_signature_publickey%3Dhttp%253A%252F%252Fshindig.kbsilver%252Fpublic.crt

base_string build at the requested page:
GET&http%3A%2F%2Fopensocialapps.kbsilver%2Flog.php&container%3Dazubister%26oauth_consumer_key%3Dnot%2520implemented%26oauth_nonce%3D68d2fedb1b405f426e0b5d6aa90893bb%26oauth_signature_method%3DRSA-SHA1%26oauth_timestamp%3D1215874245%26oauth_token%3D%26opensocial_app_id%3D25%26opensocial_owner_id%3DQ3czQ1B2SytHbVU0ZXJEOXRwOTJHdz09%26opensocial_viewer_id%3DQ3czQ1B2SytHbVU0ZXJEOXRwOTJHdz09%26synd%3Dazubister%26xoauth_signature_publickey%3Dhttp%253A%252F%252Fshindig.kbsilver%252Fpublic.crt

Analyzing the $_GET parameters i get at the target leads to the same result. I 
do not know enough about the OAUTH logic in shindig, but i think either the 
signOwner and signViewer parameters need to be ignored when building the 
base_string for the signature or they need to be part of the request to the 
target page.



-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to