invalid auth for online-account

Bug #1457298 reported by binsha on 2015-05-21
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
signon-plugin-oauth2 (Ubuntu)
Undecided
Unassigned

Bug Description

In order to launch authentication like most other accounts, yupoo need to register a new .provider file to Online accounts.

 But this XML-format file requires an standard-parameter request for authenticating and accessing token, including client_id, token_path and others, which doesn't match with the request format of yupoo.

Yupoo need to launch an auth with a link like http://www.yupoo.com/services/auth/?api_key=[api_key]&frob=[frob]&perms=[perms]&api_sig=[api_sig]. It is an non standard-format request and need additional parameter requests before accessing token. So we can hardly integrating the entire auth of yupoo into Online-accounts.

Shall we provide an more agile policy for configure when creating the .provide file?

Alberto Mardegan (mardy) wrote :

Hi! The signon-plugin-oauth only handles OAuth 1.0 and 2.0. Since yupoo uses its own non-standard authentication, you cannot use the signon-plugin-oauth with it.

You need to write a signon plugin specialized for yupoo. Unfortunately this is not well documented, but at least there are a few examples of signon plugins around.
The more complex is certainly signon-plugin-oauth, but here's a few simpler ones:

https://gitlab.com/accounts-sso/signon-plugin-digest
https://gitlab.com/accounts-sso/signon-plugin-sasl
(click on the "Files" tab on the left to see the project files)

I had a look at the yupoo documentation at http://dev.yupoo.com/apidoc2/www/ but since it's in Chinese, I didn't understand much about it. It appears that it all starts with this call (please correct me if I'm wrong):

http://www.yupoo.com/services/auth/?api_key=[api_key]&perms=[perms]&api_sig=[api_sig]

The above link should be opened in a web view, where the user will be asked to authenticate and authorize the app, and then it will be redirected to the callback url, which will have the "frob" appended in a query item. Is my understanding correct?
And, what do you need in order to generate the "api_sig"?

Alberto Mardegan (mardy) wrote :

The yupoo API looks very similar to the old Flickr API:
https://www.flickr.com/services/api/auth.spec.html

Can you please have a look and confirm if they use the same authentication method?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi:
yupoo auth could be simplified to the following:
* 1.retrieve frob through yupoo.auth.getFrob;
* 2. construct the link
"http://www.yupoo.com/services/auth/?api_key=[api_key]&frob=[frob]&perms=[perms]&api_sig=[api_sig]"
and then launch onto the webview;
* 3. access the token through yupoo.auth.getToken;

* api_sig is a signature used across all apis on yupoo(including
getToken). It is caculated by md5 using previous parameters plus
method name.
Thanks Alberto, I think it's a little bit complex and I'll check the
flickr.
On 2015年05月21日 16:13, Alberto Mardegan wrote:
> Hi! The signon-plugin-oauth only handles OAuth 1.0 and 2.0. Since
> yupoo uses its own non-standard authentication, you cannot use the
> signon- plugin-oauth with it.
>
> You need to write a signon plugin specialized for yupoo.
> Unfortunately this is not well documented, but at least there are a
> few examples of signon plugins around. The more complex is
> certainly signon-plugin-oauth, but here's a few simpler ones:
>
> https://gitlab.com/accounts-sso/signon-plugin-digest
> https://gitlab.com/accounts-sso/signon-plugin-sasl (click on the
> "Files" tab on the left to see the project files)
>
> I had a look at the yupoo documentation at
> http://dev.yupoo.com/apidoc2/www/ but since it's in Chinese, I
> didn't understand much about it. It appears that it all starts with
> this call (please correct me if I'm wrong):
>
> http://www.yupoo.com/services/auth/?api_key=[api_key]&perms=[perms]&api_sig=[api_sig]
>
> The above link should be opened in a web view, where the user will
> be asked to authenticate and authorize the app, and then it will be
> redirected to the callback url, which will have the "frob"H
> appended in a query item. Is my understanding correct? And, what do
> you need in order to generate the "api_sig"?
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVXaq6AAoJECfSBuGWom3jDxQIANfIHTInlAla+Z8DPAdu3ssi
Ilevm/qRLvbKhFPjEOKDXzAevepmqkXxwK2ReSRx1mUfUZ23MLdEhJcRGtLN2Gyi
xNJKr8xysMGYNRbepgb7sEn6+OGQpMcFGsYrrvw1cZH2jA8ksTaBav/jEY4GfwUI
mqMu7YZGtrYKBVBHgOOdiR1iIsOIy/gbRHGekWP5fZjNWXYScuh2O42Tht5AE7uq
2AKxjZmjUG+4/4Q0/+tu+BLE96FSbxzd63xJWg1Kxy1+0mKFgdOwh+9D8yFEIO13
qwr/fawsjSaloARt5pbEk7nXOtuyATdrYUUKN3Ho0ri+zGWA2v/C/DzmVnNdWDc=
=APEQ
-----END PGP SIGNATURE-----

binsha (bins-mail) wrote :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

flickr used the standard authentication implementation.

On 2015年05月21日 16:18, Alberto Mardegan wrote:
> The yupoo API looks very similar to the old Flickr API:
> https://www.flickr.com/services/api/auth.spec.html
>
> Can you please have a look and confirm if they use the same
> authentication method?
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVXfqAAAoJECfSBuGWom3jaGAIAIrdz6LCVLVaWBoqE/NJgbna
3AvQLfg5GnlStRHgQDNidKLBMx8D9sKrKwqnCTT2BpjVEhQUL+4yV6RhzTW3mpTn
/jWkRse78F2oG91sfwgCUWe1+Tqvh52j82DGUrcmNvmZvbzZLDl9eQfbPjczKvu2
45N8nWPYg+1P2pVTN2cJteKP5thEUYXEeDq8y4PehOfa7L3ZreUk92gHB+JqOq6v
eZKZHKyao4vPCAdWf9K4G3xCv56sijA7H/AxewjuovOM/ArCrbMX5ZscD2dA0+O1
HK8xKxpeN2olgW0AFb0XK44Bk8dsuIe+EU2S2+li67siUgHxbbPqa6WHLX3bm+M=
=6mTY
-----END PGP SIGNATURE-----

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers