“无效签名”:带有 Django-piston 的 oAuth 提供程序
我正在与 django-piston 合作尝试创建一个支持 oAuth 的 API。
我开始使用以下教程:
http://blog .carduner.net/2010/01/26/django-piston-and-oauth/
我向活塞的管理界面添加了一个消费者,其密钥和秘密均设置为“abcd”以进行测试。
URL 已成功连接并调用 oAuth 提供程序。
但是,使用 Tripit 运行我的获取请求令牌测试 (python get_request_token.py "http://127.0.0.1:8000/ api" abcd abcd),我收到以下错误:
签名无效。预期签名 基本字符串: GET&http%3A%2F%2F127.0.0.1%3A8000%2Fapi%2Foauth%2Frequest_token%2F&oauth_consumer_key%3Dabcd%26oauth_nonce%3D0c0bdded5b1afb8eddf94f7ccc672658%26oauth_signature_method%3 DHMAC-SHA1%26oauth_timestamp%3D1275135410%26oauth_version%3D1.0
问题似乎位于 Piston 的 oauth.py 的 _check_signature 方法中,其中
valid_sig = signature_method.check_signature(oauth_request, consumer, token, signature)
返回 false。但是,我无法弄清楚如何验证签名。
有什么想法吗?
更新:
如果我从活塞的后端删除测试消费者,返回的响应将正确设置为“无效消费者”,因此此查找似乎有效。
I'm working with django-piston to attempt to create an API that supports oAuth.
I started out using the tutorial at:
http://blog.carduner.net/2010/01/26/django-piston-and-oauth/
I added a consumer to piston's admin interface with key and secret both set to "abcd" for test purposes.
The urls are successfully wired-up and the oAuth provider is called.
However, running my get request token tests with tripit (python get_request_token.py "http://127.0.0.1:8000/api" abcd abcd), I receive the following error:
Invalid signature. Expected signature
base string:
GET&http%3A%2F%2F127.0.0.1%3A8000%2Fapi%2Foauth%2Frequest_token%2F&oauth_consumer_key%3Dabcd%26oauth_nonce%3D0c0bdded5b1afb8eddf94f7ccc672658%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1275135410%26oauth_version%3D1.0
The problem seems to lie inside the _check_signature method of Piston's oauth.py, where
valid_sig = signature_method.check_signature(oauth_request, consumer, token, signature)
is returning false. I can't, however, work out how to get the signature validated.
Any ideas?
Update:
If I remove the test consumer from piston's backend, the response returned is correctly set to "Invalid consumer", so this lookup appears to be working.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我找到的最终答案是将 oauth_consumer 的工作副本安装到应用程序目录中。一旦我将我的消费者添加到这个应用程序中,一切都会按预期进行。
The eventual answer I found was to install a working copy of oauth_consumer into the application directory. Once I had added my consumer inside this application, everything worked as expected.
@Ricardo 和任何其他遇到此错误问题的人(对“答案”感到抱歉,到目前为止我还没有评论),我能够通过遵循活塞代码中提供的测试用例生成我的签名来避免此错误。示例:
从这里开始,只需在浏览器中使用这些参数,例如
http://localhost:8000/api/oauth/request_token/?oauth_nonce=64379482&oauth_timestamp=1297147940&oauth_consumer_key=8aZSFj3W54h8J8sCpx&oauth_signature_method=HMAC-SHA1&oauth_version=1 .0&oauth_signature=kGSLCZjYzAHXsa8f9sL52Kq1F2w=
生成“oauth_token_secret=37VZKRV3fXRLAw5tekZD2bwnMhXqGwgx&oauth_token=LRnexBGTNC4nDXpv9M&oauth_callback_confirmed=true”,
正如 Martin 指出的,在示例代码或 URL 中省略“/”将使签名“无效”。
@Ricardo and anyone else having problems with this error (sorry for the "answer", I don't have commenting as of yet), I was able to avoid this error by generating my signature from following the test cases provided in piston's code. Example:
From here, just use these parameters in a browser e.g.
http://localhost:8000/api/oauth/request_token/?oauth_nonce=64379482&oauth_timestamp=1297147940&oauth_consumer_key=8aZSFj3W54h8J8sCpx&oauth_signature_method=HMAC-SHA1&oauth_version=1.0&oauth_signature=kGSLCZjYzAHXsa8f9sL52Kq1F2w=
Which generates "oauth_token_secret=37VZKRV3fXRLAw5tekZD2bwnMhXqGwgx&oauth_token=LRnexBGTNC4nDXpv9M&oauth_callback_confirmed=true"
As Martin pointed out, leaving out a "/" in either the sample code or the URL will render the signature "invalid".