{"id":683,"date":"2009-12-27T12:24:49","date_gmt":"2009-12-27T16:24:49","guid":{"rendered":"http:\/\/www.dr-chuck.com\/wordpress\/?p=683"},"modified":"2011-12-17T12:31:39","modified_gmt":"2011-12-17T16:31:39","slug":"repost-from-the-ims-developers-forum","status":"publish","type":"post","link":"https:\/\/www.dr-chuck.com\/csev-blog\/2009\/12\/repost-from-the-ims-developers-forum\/","title":{"rendered":"Repost: From the IMS Developer’s Forum"},"content":{"rendered":"

This is a repost from the IMS Developer’s forum<\/a> – I forgot to put this in my own blog.<\/p>\n

\nPossible issues with the OAuth C# library. I was working with some folks on C# Basic LTI and came across a seeming interoperability. Here is the discussion:<\/p>\n

\nI looked at the Java Implementations and the PHP implementation and both seem to go to some length *to* double URL-encode the signature string. The PHP code interoperates with the Java code as distributed.<\/p>\n

\nThis results in the base signature string having %2520 where there are spaces. Which looks like a mistaken double-encode – but I think that it is an intentional double encode.<\/p>\n

\nIf you look at this page (broken into multiple lines to enhance readiblilty)<\/p>\n

\nhttp:\/\/hueniverse.com\/2008\/10\/beginners-guide-to-oauth-part-iv-signing-requests\/<\/a><\/p>\n

\nAfter you pick “Non-URL Safe Parameter” expand the little + signs and follow it through – it ends up with a base string that includes a %2520:<\/p>\n

\nGET&http%3A%2F%2Fphotos.example.net%3A8001%2FPhotos&oauth_consumer_key
\n%3Ddpf43f3%252B%252Bp%252B%25232l4k3l03%26oauth_nonce
\n%3Dkllo~9940~pd9333jh%26oauth_signature_method%3DHMAC-SHA1
\n%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d
\n%25280%25290sl2jdk%26oauth_version%3D1.0%26photo%2520<\/b>size%3D300%2525
\n%26title%3DBack%2520<\/b>of%2520%2524100%2520<\/b>Dollars%2520Bill<\/p>\n

\nAs I look at the sample Java code below – it is effectively double encoding very much on purpose.<\/p>\n

\nSo far, this suggests that it is *correct* when spaces turn into %2520 in the pre-signature string instead of %20. So I am thinking that the the sample VB.NET code from oauth.net *might* be wrong.<\/p>\n

\nSample Java code<\/p>\n

\r\npublic static String getBaseString(OAuthMessage message)\r\n            throws IOException, URISyntaxException {\r\n  List<Map.Entry<String, String>> parameters;\r\n  String url = message.URL;\r\n  int q = url.indexOf('?');\r\n  if (q < 0) {\r\n    parameters = message.getParameters();\r\n  } else {\r\n    \/\/ Combine the URL query string with the other parameters:\r\n    parameters = new ArrayList<Map.Entry<String, String>>();\r\n    parameters.addAll(OAuth.decodeForm(message.URL.substring(q + 1)));\r\n    parameters.addAll(message.getParameters());\r\n    url = url.substring(0, q);\r\n  }\r\n  return OAuth.percentEncode(message.method.toUpperCase()) + '&'\r\n    + OAuth.percentEncode(normalizeUrl(url)) + '&'\r\n    + OAuth.percentEncode(normalizeParameters(parameters));\r\n}\r\n\r\nprotected static String normalizeParameters(Collection<? extends Map.Entry> parameters)\r\n  throws IOException {\r\n  if (parameters == null) {\r\n    return \"\";\r\n  }\r\n  List<ComparableParameter> p = new ArrayList<ComparableParameter>(parameters.size());\r\n  for (Map.Entry parameter : parameters) {\r\n    if (!\"oauth_signature\".equals(parameter.getKey())) {\r\n      p.add(new ComparableParameter(parameter));\r\n    }\r\n  }\r\n  Collections.sort(p);\r\n  return OAuth.formEncode(getParameters(p));\r\n}\r\n\r\npublic static void formEncode(Iterable<? extends Map.Entry> parameters,OutputStream into) \r\n  throws IOException {\r\n  if (parameters != null) {\r\n    boolean first = true;\r\n    for (Map.Entry parameter : parameters) {\r\n      if (first) {\r\n        first = false;\r\n      } else {\r\n        into.write('&');\r\n      }\r\n      into.write(percentEncode(toString(parameter.getKey())).getBytes());\r\n      into.write('=');\r\n      into.write(percentEncode(toString(parameter.getValue())).getBytes());\r\n    }\r\n  }\r\n}\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
This is a repost from the IMS Developer’s forum – I forgot to put this in my own blog. Possible issues with the OAuth C# library. I was working with some folks on C# Basic LTI and came across a seeming interoperability. Here is the discussion: I looked at the Java Implementations and the PHP […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-683","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.dr-chuck.com\/csev-blog\/wp-json\/wp\/v2\/posts\/683","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dr-chuck.com\/csev-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dr-chuck.com\/csev-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dr-chuck.com\/csev-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dr-chuck.com\/csev-blog\/wp-json\/wp\/v2\/comments?post=683"}],"version-history":[{"count":3,"href":"https:\/\/www.dr-chuck.com\/csev-blog\/wp-json\/wp\/v2\/posts\/683\/revisions"}],"predecessor-version":[{"id":2780,"href":"https:\/\/www.dr-chuck.com\/csev-blog\/wp-json\/wp\/v2\/posts\/683\/revisions\/2780"}],"wp:attachment":[{"href":"https:\/\/www.dr-chuck.com\/csev-blog\/wp-json\/wp\/v2\/media?parent=683"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dr-chuck.com\/csev-blog\/wp-json\/wp\/v2\/categories?post=683"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dr-chuck.com\/csev-blog\/wp-json\/wp\/v2\/tags?post=683"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}