OAuth 问题，POST 带参数 [英] Problem with OAuth, POST with parameters

问题描述

我正在使用 Jon Crosby 的开源 Objective-C OAuth 库 http://code.google.com/p/oauthconsumer/ 用于一些不处理令牌的基本 http 身份验证，只处理消费者密钥和消费者秘密.我的代码非常适用于 GET、带有 URL 参数的 GET 和 POST.但是，当我发出在 URL 中有参数的 POST 请求时，该请求未通过授权.我想弄清楚为什么.

I'm using Jon Crosby's open source Objective-C OAuth library http://code.google.com/p/oauthconsumer/ for some basic http authentication that does not deal with tokens, only consumer key and consumer secret. My code works great for GET, GET with parameters in the URL, and POST. When I issue a POST request that has parameters in the URL, though, the request fails authorization. I'm trying to figure out why.

服务器正在使用 Apache Commons OAuth，因此我想将我的基本字符串与该库进行比较.这是一个人为的示例以及我的库生成的基本字符串和签名.谁能看出问题是什么?

The server is using Apache Commons OAuth, so I'd like to compare my base string with that library. Here's a contrived example and the base string and signature produced by my library. Can anyone see what the problem is?

consumer key:    abcdef
consumer secret: ghijkl
POST request:    http://emptyrandomhost.com/a/uriwith/params?interesting=foo&prolific=bar
my base string:  POST&http%3A%2F%2Femptyrandomhost.com%2Fa%2Furiwith%2Fparams&interesting%3Dfoo%26oauth_consumer_key%3Dabcdef%26oauth_nonce%3D1%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D2%26oauth_version%3D1.0%26prolific%3Dbar

此数据产生以下 OAuth 标头授权:

This data produces the following OAuth header authorization:

Authorization: OAuth oauth_consumer_key="abcdef", 
                     oauth_version="1.0", 
                     oauth_signature_method="HMAC-SHA1", 
                     oauth_timestamp="2", 
                     oauth_nonce="1", 
                     oauth_signature="Z0PVIz5Lo4eB7aZFT8FE3%2FFlbz0%3D"

显然我的签名是错误的.问题要么出在基本字符串的构造中，要么出在 HMAC-SHA1 函数的实现方式中(使用来自 CommonHMAC.h 的 Apple 的 CCHmac，所以希望不是这样)，或者出在我的 Base64Transcoder 上，它是开源 C.2003 年，Jonathan Wight/Toxic Software.我主要怀疑基本字符串，因为请求适用于 GET 和 POST，并且仅在使用上述 URL 参数的 POST 时失败.

And apparently my signature is wrong. The problem has to either be in the construction of the base string, in the way that the HMAC-SHA1 function is implemented (using Apple's CCHmac from CommonHMAC.h, so hopefully this isn't it), or with my Base64Transcoder, which is open source c. 2003 by Jonathan Wight/Toxic Software. I primarily suspect the base string, since the requests work for GET and POST and only fail with POST with URL parameters as above.

有很多 OAuth 经验的人能发现上面的问题吗?其他非常有用的是 Apache Commons OAuth 在其身份验证中生成的基本字符串.谢谢.

Can someone with lots of OAuth experience spot the problem above? Something else that would be very useful is the base string that is produced by Apache Commons OAuth in their authentication. Thanks.

推荐答案

您可以在此 URL 上构建和直观地检查您的请求:

you can build and check visually your request at this URL:

http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iv-signing-requests/

打开由 [+] 符号表示的框并填写您的值，这样您就可以查看问题是出在您的代码还是出在提供者端.

Open the boxes denoted by [+] signs and fill in your values, that way you may be able to see if the problem is at your code, or at the provider side.

这篇关于OAuth 问题，POST 带参数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！