Withings provider not working?

[fantapop]

Hi there,

Maybe I'm just doing something drastically wrong but I can't get the withings requests to work. I'm able to get authorized but once I make an actual request for data I'm always getting the following response:

status: "503"
error: "Not enough params"

I was getting this same error using the oauth.io service so I installed oauthd to try and further debug the issue. Its somewhat difficult to tell whats going on but my suspicion is that the oauth parameters are not getting sent along with the request parameters in the correct way. Withings wants them in the query string which is unusual for an oauth implementation.

As far as I can tell the request library which is used for signing doesn't support this.

Maybe I'm crazy. Does anyone have this working?

[bumpmann]

You are right, the withings API seems to have a custom implementation of oauth 1. I guess we should support the oauth 1 parameters to be in the query string in the configuration files, based on how the request lib builds the params (https://github.com/request/request/blob/master/request.js#L1622).

For now you need to use this code to build and send the oauth params in the query. Don't hesitate to send a pull request if you want to contribute to oauthd. In the meantime, we will send a support ticket to Withings to see if they plan to fix this.

[fantapop]

Okay, I may end up working on this.

[fantapop]

After looking closer at this issue, it appears that the oauth functionality of request.js would need to be completely bypassed in order for this to work with the withings API as it exists today.

The problem is here: https://github.com/request/request/blob/master/request.js#L1676. The items in the query string are concatenated with the oauth parameters to create the signature. If a signature were prepopulated and included in the query string, the resulting signature would be different than the precalculated one.

I assume that code to implement those oauth specifics when its currently all taken care of in request.js would never get merged back to oauthd. Does that sound right?

I was able to get this working by hacking request.js to add the parameters but that change will never be accepted either. For now I suppose I can run my modified version of oauthd instead of using the oauth.io service directly.

Did you have any luck communicating with Withings about the issue?

[fantapop]

I just looked a bit closer at the oauth1 spec. It appears that the withings method is a valid method according to the spec. Here is the section on "Consumer Request Parameters" (http://oauth.net/core/1.0/#consumer_req_param):

5.2.  Consumer Request Parameters

OAuth Protocol Parameters are sent from the Consumer to the Service Provider in one of three methods, in order of decreasing preference:

In the HTTP Authorization header as defined in OAuth HTTP Authorization Scheme.
As the HTTP POST request body with a content-type of application/x-www-form-urlencoded.
Added to the URLs in the query part (as defined by [RFC3986] section 3).
In addition to these defined methods, future extensions may describe alternate methods for sending the OAuth Protocol Parameters. The methods for sending other request parameters are left undefined, but SHOULD NOT use the OAuth HTTP Authorization Scheme header.

Maybe its not entirely unreasonable for request.js to support this.

[fantapop]

Okay, I added support to request.js for this. The option is oauth.transport_method. I can create a pull request for oauthd to support this. What should the configuration option for the provider look like?