OAUTH server ignores ignores first element in header (rather than realm key)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
High
|
Martin Pool | ||
python-oauth (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Workaround:
Use an oauth library that allows placing 'realm' or some other ignorable field as the first element in Authorization:
Impact:
Authenticated 3rd party API clients are hard to write because Launchpad's server side is not HTTP conformant.
Symptoms:
Please note that in the first example the consumer is "None", wheres when a dummy key is added, the consumer is successfully recognized.
Max
openssl s_client -connect api.launchpad.
[...]
GET /beta/ HTTP/1.1
Host: api.launchpad.net
Authorization: OAuth oauth_consumer_
HTTP/1.1 401 Unauthorized
Date: Tue, 27 Jan 2009 09:49:08 GMT
Server: zope.server.http (HTTP)
X-Powered-By: Zope (www.zope.org), Python (www.python.org)
X-Lazr-Oopsid: OOPS-1123H722
Content-Type: text/plain
Content-Length: 24
Via: 1.1 wildcard.
Unknown consumer (None).
DONE
---
openssl s_client -connect api.launchpad.
[...]
GET /beta/ HTTP/1.1
Host: api.launchpad.net
Authorization: OAuth dummy="bla", oauth_consumer_
HTTP/1.1 401 Unauthorized
Date: Tue, 27 Jan 2009 09:50:25 GMT
Server: zope.server.http (HTTP)
X-Powered-By: Zope (www.zope.org), Python (www.python.org)
X-Lazr-Oopsid: OOPS-1123C781
Content-Type: text/plain
Content-Length: 32
Via: 1.1 wildcard.
Unknown consumer (just+testing).
DONE
Related branches
- Robert Collins (community): Approve
-
Diff: 72 lines (+35/-3)2 files modifiedlib/canonical/launchpad/webapp/tests/test_authentication.py (+27/-0)
lib/contrib/oauth.py (+8/-3)
Changed in launchpad-foundations: | |
importance: | Undecided → Low |
summary: |
- API: Authorization header ignores first key + OAUTH server ignores ignores first element in header (rather than realm + key) |
Changed in launchpad: | |
status: | Fix Committed → Fix Released |
Changed in launchpad: | |
milestone: | none → 11.01 |
How did you send the request?