-
-
Notifications
You must be signed in to change notification settings - Fork 422
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
possible to add params to header ? #125
Comments
There is currently no easy way to add extra parameters to the authorization headers in OAuth 1 or 2. What is your use case? Do you use OAuth 1 or 2? For 2 I don't think Bearer tokens usually have parameters, although there is nothing stopping you from embedding it into the token itself (e.g. JWT). |
@ib-lundgren |
Adding custom parameters makes more sense in OAuth1 and we could probably do that. I am not familiar with oauth_body_hash but guessing from the name they add a custom integrity protecting param which is a hash over the request body. Is the provider public? Would be nice to look into their docs. |
@ib-lundgren |
Cheers, will look into their docs to see if there are more things missing but the oauth_body_hash should be no problem to add. It is a reasonable addition to the spec but will have a think about whether to include it directly in OAuthlib or as a provider specific work around with a custom client here. I have a ton of issues/PRs to get through since exams sucked my time the last two months but stay tuned for this feature in the coming week. I don't have any master pass account so will likely need your help testing it out :) |
Thanks @ib-lundgren |
Not sure I'd go as far as calling it a fix but if you want to start experimenting then
This will add oauth_body_hash (SHA1 signature of body text) but I've not looked into what else might be required by masterpass yet. |
Thanks for taking you time with this @ib-lundgren I then tried writing this function |
Ah the hash is base64 encoded and not hex , my bad. Are you using hat code to replace |
@ib-lundgren yes i have tried to replace the code on the digest var in you code, |
@ib-lundgren the request.body in get_auth_params seems to be empty when calling |
Hrm, will look into the body being empty. Sounds like the body is not propagated properly, maybe I am using the wrong attribute on the requests.request object. |
…y parameter in OAuth 1 auth and session. CC #125.
Forgot that Would you mind checking out newest master and trying
|
Yes the body is now included in the request, and it seem to pass the auth_body_hash just fine.
|
Hrm, tricky since it can be a number of things and for security reasons they can't really help out with a more detailed error message. After skimming their docs the only thing that pops out is that the token should not be sent in the request. Or at least not in "postback" but possibly in "shopping cart", not sure what you are calling. Could you check whether that is the case?
If you have time, enable oauthlib logging, scrub and paste the output here
|
Here is the relevant code with with the request headers and the log info. def get_credentials():
oauth = OAuth1Session(
consumer_key,
signature_method='RSA-SHA1',
signature_type='auth_header',
rsa_key=key,
callback_uri=callback_uri
)
return oauth.fetch_request_token(request_token_url,
realm=['eWallet'])
def get_session(credentials):
credentials = get_credentials()
return OAuth1Session(
consumer_key,
signature_method='RSA-SHA1',
signature_type='auth_header',
rsa_key=key,
callback_uri=callback_uri,
resource_owner_key=credentials['oauth_token'],
client_class=BodyHashClient,
force_include_body=True
)
credentials = get_credentials() this returns the credentials fine
# xml body
root = ET.fromstring(shopping_cart_xml)
root.find('OAuthToken').text = credentials['oauth_token']
xml = ET.tostring(root, encoding="utf8", method="xml")
oauth = get_session(credentials)
resp = oauth.post(url=shopping_cart_url, data=xml) print resp.request.headers {
'Accept': '*/*',
'Content-Length': u'620',
'Accept-Encoding': 'gzip, deflate, compress',
'Authorization': 'OAuth oauth_nonce="170519491205601708881401969266", oauth_timestamp="1401969266", oauth_version="1.0", oauth_signature_method="RSA-SHA1", oauth_consumer_key="QAJO-UfhDtTLsUkuOJXyks6gEc4v0ueowUscPisU5e403949%216337436d383951652b5069627a47417354566c6a76773d3d", oauth_token="6fb931022e7c85c1b50b71305f46b503", oauth_callback="https%3A%2F%2Flocalhost%3A8080%2Fmerchant%2Fcallback", oauth_body_hash="koQbcXP2tl7Qky41npp27kI4Bf8%3D", oauth_signature="jDu4a6EBOl5CTXf9cl3axIjjz%2BlF%2FKcap6CBgnZ3dtDT3RhEzwqzXVXUTX4kE8xRVVMHwMVndansZ3KSe%2FDBty0iIrK0HWaHdiUCZqxjm3sj4uM7jspJS20RSTRp%2BZmuUwSWLlRrmkZROXfO1e3psHvZIKypNt72YGgyQcC%2B5QwWsRWkwwr4uzVumiQVCy5GqfL70s4RWrk510Zfc8H5SJIETzYbf%2BQU4CQq2HOXJDD4QQBd830Q%2B%2FaX%2BymE2DkxffiDBob3uA34tXAw0gey3g%2FKkaCrpQHTLNwulQAhS095iWQu8kuJlWSvTvQ6khqLpwmcsdVkFi9Swqek8kr9zA%3D%3D"', 'User-Agent': 'python-requests/2.0.1 CPython/2.7.5+ Linux/3.11.0-22-generic'
} print resp.text
log info
|
Thanks. The fact that you can get credentials rules out issues with your ID/keys and everything points towards something wrong with how the hash is integrated. Which is a bit odd since the base string looks ok. I will look at their Java SDK and see if I can figure out where the mismatch is. |
Looked a bit closer at the base signing string now and a few things popped out
Try changing to
|
Thank @ib-lundgren many thanks for your help |
Great :) Their little checklist for 500 errors just mention
Are you setting content type to xml? e.g. "application/xml"?
Does not seem like it from the log above and looks like they require it. |
Thanks for the reminder |
Turns out there was a problem with the encoding of the xml, was using "utf8" instead of "UTF-8". |
Like i have to add body_hash_tag in the authorization header, but i can't seem to find a legit way to do it.
is it no possible with this library ?
The text was updated successfully, but these errors were encountered: