CXF
  1. CXF
  2. CXF-4283

OAuth 2-leg getAccessToken Error

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.6
    • Fix Version/s: 2.5.4, 2.6.1
    • Component/s: JAX-RS Security
    • Labels:
    • Estimated Complexity:
      Novice

      Description

      After the preauthorized request token has been obtained, if we request the access token using org.apache.cxf.rs.security.oauth.client.OAuthClientUtils.getAccessToken() providing a null value for verifier, the following error occurs:

      org.apache.cxf.rs.security.oauth.provider.OAuthServiceException: Status : 401
      Headers :
      WWW-Authenticate : OAuth realm="null", oauth_problem="verifier_invalid"
      Date : Wed, 02 May 2012 13:07:58 GMT
      Content-Length : 16
      Content-Type : application/x-www-form-urlencoded
      Server : Apache-Coyote/1.1

      at org.apache.cxf.rs.security.oauth.client.OAuthClientUtils.getToken(OAuthClientUtils.java:191)
      at org.apache.cxf.rs.security.oauth.client.OAuthClientUtils.getAccessToken(OAuthClientUtils.java:112)

      As you can see, the request OAuth header sent includes an empty "oauth_verifier" parameter:

      Authorization=[OAuth oauth_signature_method="HMAC-SHA1", oauth_consumer_key="9ab45d4a483b10719b72c73fff513342aa814a9", oauth_token="afb0c0d63d948872aa4cfa07b75f6788e4a2a98", oauth_verifier="", oauth_timestamp="1335964079", oauth_nonce="1335964079434845000", oauth_version="1.0", oauth_signature="4drUvMJ4pJm25QJkKIb6bSwKnio%3D"]

      So, when processing the message at server side (inside AccessTokenHandler class) a non-null verifier parameter is obtained and its validation always fails:

      String oauthVerifier = oAuthMessage.getParameter(OAuth.OAUTH_VERIFIER);
      if (oauthVerifier == null) {
      if (requestToken.getSubject() != null && requestToken.isPreAuthorized())

      { LOG.fine("Preauthorized request token"); }

      else

      { throw new OAuthProblemException(OAuthConstants.VERIFIER_INVALID); }

      } else if (!oauthVerifier.equals(requestToken.getVerifier()))

      { throw new OAuthProblemException(OAuthConstants.VERIFIER_INVALID); }

      I suppose changing org.apache.cxf.rs.security.oauth.client.OAuthClientUtils.getAccessToken() from:

      Map<String, String> parameters = new HashMap<String, String>();
      parameters.put(OAuth.OAUTH_CONSUMER_KEY, consumer.getKey());
      parameters.put(OAuth.OAUTH_TOKEN, requestToken.getToken());
      parameters.put(OAuth.OAUTH_VERIFIER, verifier);
      parameters.put(OAuth.OAUTH_SIGNATURE_METHOD, "HMAC-SHA1");

      to

      Map<String, String> parameters = new HashMap<String, String>();
      parameters.put(OAuth.OAUTH_CONSUMER_KEY, consumer.getKey());
      parameters.put(OAuth.OAUTH_TOKEN, requestToken.getToken());
      if (null!=verifier) parameters.put(OAuth.OAUTH_VERIFIER, verifier);
      parameters.put(OAuth.OAUTH_SIGNATURE_METHOD, "HMAC-SHA1");

      would solve the problem because a null "oauth_verifier" parameter wouldn't be sent

        Activity

          People

          • Assignee:
            Sergey Beryozkin
            Reporter:
            Jordi Torrente
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development