Ubuntu
django-piston package

OAuth fails if optional parameters oauth_nonce / oauth_timestamp are missing

Bug #1522297 reported by Robert Ancell
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ratings and Reviews server
Won't Fix
Undecided
Unassigned
django-piston (Ubuntu)
New
Undecided
Unassigned

Bug Description

From RFC 5849:

3.1. Making Requests

...

   1. The client assigns value to each of these REQUIRED (unless
       specified otherwise) protocol parameters:

...

       oauth_timestamp
         The timestamp value as defined in Section 3.3. The parameter
         MAY be omitted when using the "PLAINTEXT" signature method.

       oauth_nonce
         The nonce value as defined in Section 3.3. The parameter MAY
         be omitted when using the "PLAINTEXT" signature method.

However, when connecting to reviews.ubuntu.com without these parameters set the authorization fails.

Revision history for this message
Robert Ancell (robert-ancell) wrote :

I did a pull request for this upstream:
https://bitbucket.org/jespern/django-piston/pull-requests/37/allow-oauth_nonce-and-oauth_timestamp-to/diff

Revision history for this message
Natalia Bidart (nataliabidart) wrote :

Hello Robert!

We highly discourage using PLAINTEXT sigantures, SSO supports them only for backward compatibility with old clients. You should sign your requests with HMAC signatures.

Not sending the nonce and the timestamp makes the signed request less secure: if your SSL connection gets compromised somehow, your request is vulnerable to replay attacks. Are you using a third party library to sign your requests?

Thanks.

Natalia Bidart (nataliabidart)
Changed in rnr-server:
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.