So, over the past few weeks a pet project of mine has been an Android app for the growing website, Formspring.me. Granted, I have no interest in this site at all – I just thought their API looked easy to grind my teeth on. Regardless, when I start a project, I hate to leave it unfinished. Unfortunately, that may be what I have to do in this case.
Formspring.me has decided to use OAuth for their user authentication. OAuth made it big when Twitter revealed it as their method of authenticating 3rd party twitter applications. It’s actually a pretty great system. It allows someone to write a program that can interact with your account without the program having to store your password. Unfortunately, Formspring’s implementation appears to be messed up. Maybe if I describe the problem I’m having one of you geniuses out there can help me out (because Formspring support sure doesn’t seem to care).
Authentication with OAuth is a two step process. First you declare the intent to authenticate by retrieving a “request token”… then you redirect the user to their browser where they are asked if they want to give your application access to their data. If they click “allow” then they get a PIN to enter into the program. If the PIN they enter into the program matches the PIN the website gave them, the request token is upgraded to an “access token” and that access token gives the application all the rights the user has. Then you store this access token in memory for the next time they open up the program. However, since places like Twitter and Formspring want to limit exactly what applications can access their API, there are also two other numbers in play: the “consumer key” that is used to uniquely identify your application and the “consumer secret” that is used to sign all messages coming from your application.
Currently, my program makes it all the way though the first step of authentication. It sends the user to the browser where they click “allow” and then they get a PIN. Then, when the user goes to enter their PIN into the program and they click “Authrize” to complete the process the Formspring server sends back the following message: “Invalid Consumer Key”. This has had me banging my head against the wall for awhile. Mostly because I can’t explain how a consumer key that is good for the first step of authentication doesn’t work for the second step. It’s just silly.
So, in all honesty – are there any suggestions from the audience on this one? Help would be appreciated.
Disclaimer: I’ve never used OAuth.
Can you verify that the consumer key sent the second time is the same as the one sent the first time?
Posted by Mark | July 18, 2010, 1:06 pmIt is. I modded the OAuth library to output what is called the “base string” before sending the request to the server. The base string is the full contents of what I’m sending in my request including my consumer key and is what the signing algorithm uses to generate the message signature using the consumer secret.
In the base string for both requests, I see the same consumer key.
Posted by Matt | July 18, 2010, 1:41 pmHeh, maybe it’s some kind of Heisenbug. I’ve seen it happen with Java streams that don’t support the mark() method; by reading the stream, you’ve consumed the data and effectively altered the contents of the stream for the purposes of future reads.
Anyway, I resurrected this discussion to share this. If you’re trying to use Twitter’s implementation of OAuth, beware.
Posted by Mark | September 2, 2010, 12:01 pmActually, this bug was fixed. I never finished the project – because I’ve got so much else going on – but their implementation o OAuth was b0rked. It was chopping off parameters and then hashing on the reduced string causing all kind of weirdness. Sounds like someone who wrote their OAuth system didn’t prepare for an “off-by-one” error.
Posted by Matt | September 2, 2010, 5:06 pm