Summary:

MySpace gives incorrect makeRequest signatures after requestNavigateTo to Canvas

The basics:

1. I have implemented signature verification correctly.
   
   If I visit my Canvas page manually (ie not using requestNaviagetTo, but rather by pasting the URL in my browser), MySpace signs the makeRequest parameters correctly and my verification software produces the same signature as that which MySpace passes down.
   
   
2. If I visit the Canvas page using requestNavigateTo, only the *first* signed call to makeRequest has the correct signature.
   
   
3. After requestNavigateTo, all subsequent makeRequest calls have *incorrect* signatures attached.
   
   
4. My verification software *always* agrees with the OAuth tool.  The signatures that MySpace passes down after requestNavigateTo and one makeRequest *never* agree with the OAuth tool.
   
   
5. This is not a transient problem. It is consistently reproducible: requestNavigateTo canvas, first makeRequest call (success), second makeRequest call (fail, along with all other subsequent calls).
   
   
6. This happens with both opensocial.makeRequest and gadgets.io.makeRequest.
   

An example:

1. My secret key: 14d1a56cc0c342c9a28510e1c146d183
   (I don't care if you know, since this is a development app and has no real users)
   
   
2. Method: POST
   
   
3. Target URL: http://sea.ilike.com/brendan/gadget/ilike_render_page
   
   
4. Complete parameters received (merge of oauth stuff and my post data):
   
   {"oauth_nonce"=>"633410361908281250",
   "opensocial_viewer_id"=>"321806941",
   "fmt"=>"gadget",
   "mode"=>"canvas",
   "opensocial_owner_id"=>"321806941",
   "nocache"=>"1205439395475",
   "oauth_signature_method"=>"HMAC-SHA1",
   "oauth_token"=>nil,
   "synd"=>"myspace",
   "userId"=>"321806941",
   "viewerId"=>"321806941",
   "oauth_timestamp"=>"1205439390",
   "oauth_consumer_key"=>"http://www.myspace.com/ilike_brendan",
   "oauth_signature"=>"z37YglRMp6Srf1mwpT8kwtlC3sE=",
   "oauth_version"=>"1.0",
   "path"=>"artists_ilike"}
   
   
5. In case you didn't see it, the signature passed to me was: z37YglRMp6Srf1mwpT8kwtlC3sE=
   

My software *and* the OAuth tool say the signature should be F2cenIV/OXIKIMKbRnY+nkbM1SM=

If you'd like to check the along with the OAuth tool, use the following settings:

1. Server: http://sea.ilike.com
2. Resource URL: brendan/gadget/ilike_render_page
3. Method: POST
4. Consumer Key: http://www.myspace.com/ilike_brendan
5. Consumer Secret: 14d1a56cc0c342c9a28510e1c146d183
6. OAuth Token:
7. OAuth Token Secret:
8. OAuth Timestamp: 1205439390
9. OAuth Nonce: 633410361908281250
10. Signature Method: HMAC-SHA1
11. Version: 1.0
12. OAuth Mode: (either)
13. Query options: Generate URI Only
14. Form Encoded Parameters:
    fmt=gadget&mode=canvas&nocache=1205439395475&opensocial_owner_id=321806941&opensocial_viewer_id=321806941&path=artists_ilike&synd=myspace&userId=321806941&viewerId=321806941
    
    (I know that probably goes off the screen, but if you double click to highlight it you should be able to copy it all.  It ends with "viewerId=321806941"
    

This completely prevents with multiple AJAX calls from using authentication.

Hi,

The information I have is that there are some known encoding issues that are being looked into.  Thank you for the feedback, and it was really written well!!! :)

Rhonda

Thanks for the prompt response, Rhonda.  We (iLike) have also emailed some of the dev contacts we have, so I'm sure it'll get resolved soon.

Just an update: I think this was due to our accidentally POSTing two different values for the "path" parameter. This only happens after the first requestNavigateTo(), and MySpace signs using *both*.  However, our code dedups and removes the old (extra and unneeded) one before calculating the signature.  Looks like it's our problem after all.  

Brendan,
I’m sure by now you would have figured out where the signing is incorrect, but here is my analysis  
 
opensocial.makeRequest (Relay proxy) -
 
Form post:
curl -d "fmt=gadget&mode=canvas&nocache=1205439395475&opensocial_owner_id=321806941&opensocial_viewer_id=321806941&path=artists_ilike&synd=myspace&userId=321806941&viewerId=321806941" "http://localhost/proxy/relay.proxy?opensocial_token=MIGuBgkrBgEEAYI3WAOggaAwgZ0GCisGAQQBgjdYAwGggY4wgYsCAwIAAQICZgMCAgDABAiVXXd%2BANJZiQQQPZsj3uzlwbOKipZ%2BZuorwARgdM9r0vlgFn3alStN4gA88X%2Fvq9hxyJfEPqV%2F01sE8XcOPGOlVZAN9Z6xTmEGclSD8%2BmItwjMEYgqn9Hu5CNTAT2SBo4Ca0NTCbiwI9U7XW6OJ7qqBJrhQD8KWFugrR7Z&opensocial_url=http://sea.ilike.com/brendan/gadget/ilike_render_page&opensocial_authtype=SIGNED"
 
Return URL:
 
http://sea.ilike.com/brendan/gadget/ilike_render_page?oauth_consumer_key=http%3A%2F%2Fwww.myspace.com%2Filike_brendan&oauth_nonce=633410361908281250&oauth_signature=Z4grtfoMb%2BFvr6eTjl%2FPzY3azQU%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1205439390&oauth_token=&oauth_version=1.0&opensocial_owner_id=321806941&opensocial_viewer_id=321806941
 
Signature: Z4grtfoMb+Fvr6eTjl/PzY3azQU=
 
OAuth - Tool

1.RequestURI=
http://sea.ilike.com/brendan/gadget/ilike_render_page?oauth_consumer_key=http://www.myspace.com/ilike_brendan&oauth_nonce=633410361908281250&oauth_signature=Z4grtfoMb+Fvr6eTjl/PzY3azQU=&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1205439390&oauth_token=&oauth_version=1.0&opensocial_owner_id=321806941&opensocial_viewer_id=321806941
 
2.BaseString=
POST&http%3A%2F%2Fsea.ilike.com%2Fbrendan%2Fgadget%2Filike_render_page&fmt%3Dgadget%26mode%3Dcanvas%26nocache%3D1205439395475%26oauth_consumer_key%3Dhttp%253A%252F%252Fwww.myspace.com%252Filike_brendan%26oauth_nonce%3D633410361908281250%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1205439390%26oauth_token%3D%26oauth_version%3D1.0%26opensocial_owner_id%3D321806941%26opensocial_owner_id%3D321806941%26opensocial_viewer_id%3D321806941%26opensocial_viewer_id%3D321806941%26path%3Dartists_ilike%26synd%3Dmyspace%26userId%3D321806941%26viewerId%3D321806941
 
3.Signature=
Z4grtfoMb+Fvr6eTjl/PzY3azQU=
 
Analysis: What you missed in the OAuth tool is the Query params – “opensocial _owner_id=321806941&opensocial_viewer_id=321806941”. opensocial.makeRequest adds these additional query parameters and per OAuth spec we need to sign the query params too.  I see that in the Post parameters these have been duplicated though.
 
I hope this was helpful. Let me know if you have questions further.
 
Thanks,
-Rajiv

 

Hi Brendan,

You just posted the same issue I was experimenting with ;)

Exactly same thing happens with me also... the OAuth tool agrees with my server side signature generation... but the passed signature is not confirming with it.

Rajive is correct, we need to pass the "opensocial_viewer_id" & "opensocial_owner_id" with the Resource URL 
But I think Brendan is also doing it.. otherwise OAuth tool will not give the same signature !!

Anyway, if anyone get it working...please don't forgot to comment here ;)

~  Jim

I have it working 100% of the time now!

I had two issues (one my side, one on MySpace's -- but can be worked around).

1. My error: I was passing two values for the "path" parameter:
   path=new+path&foo=bar&path=old+path
   
   Since this is a valid HTTP query string, MySpace was signing it happily and sending it on down.  I, however, wasn't parsing it correctly: I was only anticipating a single value for each parameter key, so my string became this:
   path=new+path&foo=bar
   
   Since that's what I plugged into the OAuth tool, I naturally got the same hash as it.  Silly me!
   
   
2. MySpace's error: They're converting URL-Encoded spaces (%20) into pluses (+).  Example:
   path=new%20path
   
   This string should be found double-encoded in the signature base string as:
   path%3Dnew%2520path
   
   Instead, MySpace encodes it as:
   path%3Dnew%2Bpath
   
   But it still arrives at my server as:
   path=new%20path
   
   So I can't help but generate a different Signature Base String.
   
   They converted from "path=new%20path" to "path=new+path" in the signing process.  So, if you pass any spaces you should call parameterString.replace(/%20/g, '+') beforehand to make sure that you're actually passing down "+" to your servers and you can generate the same Signature Base String as MySpace.