[Standards] oauth signature

Seth Fitzsimmons seth at mojodna.net
Sun Feb 15 18:54:05 UTC 2009


No, it's not.  Good catch.

The sample stanza has a signature of
"wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D" (which shouldn't be escaped, but is
still wrong).

The signature base string is correct (although Fire Eagle's
implementation requires bare JIDs).  The calculated signature
("Z0F5zmPWwbunk5dc2hNBn1NgBj4=") is also wrong (it should match the
example stanza).

The correct signature should be: 9PQkM4YKgaM067wqrDGshXOwDW0=

I know of 2 other client implementations in-progress, but no other
servers at the moment.

This was calculated using my fork of the OAuth gem
(github.com/mojodna/oauth - `sudo gem install mojodna-oauth`):

oauth --consumer-key 0685bd9184jfhq22 \
--consumer-secret consumersecret \
--token ad180jjd733klru7 \
--secret tokensecret \
--nonce 4572616e48616d6d65724c61686176 \
--timestamp 1218137833 \
--signature-method HMAC-SHA1 \
--uri "travelbot at findmenow.tld/bot&feeds.worldgps.tld" \
--xmpp \
debug

The output was:
OAuth parameters:
  oauth_nonce: 4572616e48616d6d65724c61686176
  oauth_signature_method: HMAC-SHA1
  oauth_token: ad180jjd733klru7
  oauth_timestamp: 1218137833
  oauth_consumer_key: 0685bd9184jfhq22
  oauth_version: 1.0

Method: iq
URI: travelbot at findmenow.tld/bot&feeds.worldgps.tld
Signature base string:
iq&travelbot%40findmenow.tld%2Fbot%26feeds.worldgps.tld&oauth_consumer_key%3D0685bd9184jfhq22%26oauth_nonce%3D4572616e48616d6d65724c61686176%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1218137833%26oauth_token%3Dad180jjd733klru7%26oauth_version%3D1.0

XMPP Stanza:
  <oauth xmlns='urn:xmpp:tmp:oauth'>
    <oauth_consumer_key>0685bd9184jfhq22</oauth_consumer_key>
    <oauth_token>ad180jjd733klru7</oauth_token>
    <oauth_signature_method>HMAC-SHA1</oauth_signature_method>
    <oauth_signature>9PQkM4YKgaM067wqrDGshXOwDW0=</oauth_signature>
    <oauth_timestamp>1218137833</oauth_timestamp>
    <oauth_nonce>4572616e48616d6d65724c61686176</oauth_nonce>
    <oauth_version>1.0</oauth_version>
  </oauth>

Note: You may want to use bare JIDs in your URI.

Signature:         9PQkM4YKgaM067wqrDGshXOwDW0=
Escaped signature: 9PQkM4YKgaM067wqrDGshXOwDW0%3D

I hope this helps.
seth

On Sun, Feb 15, 2009 at 10:31 AM, Fabio Forno <fabio.forno at gmail.com> wrote:
> Is the Oauth signature in xep 235 actually calculated with the given
> values (and all escaping correct)? I'm trying to implement it and I
> get different values, while I can reproduce the sign of main oauth
> specs
>
> Besides fireeagle are there any other services for testing it?
>
> --
> ff
>



More information about the Standards mailing list