All geek questions in one place

LinkedIn OAuth Authentication Issues

I am working on the LinkedIn library for my client, and I have problems getting some of the puzzle permissions. I used the OAuth library on RIAForge and rewrote everything to use script-based CFC in the CF9 and MXUnit tests. When I try to create an OAuth signature using the HMAC-SHA1 algorithm, I can never match what LinkedIn is looking for. He is my method for signing my request:

public void function signRequest(any req){ var params = Arguments.req.getAllParameters(); var secret = "#Variables.encoder.parameterEncodedFormat(getConsumer().getConsumerSecret())#&#Variables.encoder.parameterEncodedFormat(Arguments.req.getOAuthSecret())#"; var base = ''; params = Variables.encoder.encodedParameter(params, true, true); secret = JavaCast('string', secret).getBytes(); local.mac = createObject('java', 'javax.crypto.Mac').getInstance('HmacSHA1'); local.key = createObject('java', 'javax.crypto.spec.SecretKeySpec').init(secret, local.mac.getAlgorithm()); base = reReplaceNoCase(Arguments.req.getRequestUrl(), 'http[s]?://', '/'); params = listSort(params, 'text', 'asc', '&'); base = JavaCast('string', "#base#&#params#").getBytes(); local.mac.init(local.key); local.mac.update(base); Arguments.req.addParameter('oauth_signature', toBase64(mac.doFinal()), true); }

The problem, I believe, is the secret key for encryption. I compared the base line with LinkedIn's OAuth testing tool, http://developer.linkedinlabs.com/oauth-test/ , and it works fine, so the key used for encryption should me a problem. I don't have an OAuth token key yet, so my secret is like fdsa43fdsa3j& . Is this what it should be, or should the ampersand be encoded in the end, or something else?

Correct method

  public void function signRequest(any req){ var params = Arguments.req.getAllParameters(); var secret = "#Variables.encoder.parameterEncodedFormat(getConsumer().getConsumerSecret())#&#Variables.encoder.parameterEncodedFormat(Arguments.req.getOAuthSecret())#"; var base = ''; params = Variables.encoder.encodedParameter(params, true, true); secret = toBinary(toBase64(secret)); local.mac = createObject('java', 'javax.crypto.Mac').getInstance('HmacSHA1'); local.key = createObject('java', 'javax.crypto.spec.SecretKeySpec').init(secret, local.mac.getAlgorithm()); base = "#Arguments.req.getMethod()#&"; base = base & Variables.encoder.parameterEncodedFormat(Arguments.req.getRequestUrl()); params = listSort(params, 'text', 'asc', '&'); base = "#base#&#Variables.encoder.parameterEncodedFormat(params)#"; local.mac.init(local.key); local.mac.update(JavaCast('string', base).getBytes()); //writeDump(toString(toBase64(mac.doFinal()))); abort; Arguments.req.addParameter('oauth_signature', toString(toBase64(mac.doFinal())), true); }
+4
source share
1 answer

Ben Nadel has an example for using OAuth to connect to Twilio. The main difference between your signature code and its is that it uses some encodings when setting up its SecretKeySpec.

Here is the corresponding snip from his post:

 <cfset secretKeySpec = createObject( "java", "javax.crypto.spec.SecretKeySpec" ).init( toBinary( toBase64( twilioAuthKey ) ), "HmacSHA1" ) />
+1
source

Source: https://habr.com/ru/post/1399918/

More articles:


All Articles