Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Updates request factory to exclude oauth_* params due to Authorization header #33

merged 2 commits into from

3 participants


Requests should not use url or post params if Authorization header is used, see (5.2. Consumer Request Parameters) states that it should be one of Authorization header, POST params, or URL params (preference in that order).

Twitter API also has issues with this,, states "If you're using HTTP-header based OAuth, you shouldn't include oauth_* parameters in the POST body or querystring"

Personally, I noticed this when using an API that uses django-piston, which creates a multi value dict for params so when there are duplicates I see invalid signatures.

This update removes the passing of the parameters argument to the request creation in requestWithMethod:path:parameters. The request created for the authorization step also had to be updated to use the url parameters because it was using this method before.

@jnormore jnormore Updates requestWithMethod:path:params to not use post or query params…
…. Updates authorization request to use query params.

Hi! I think we've run into the same problem - my solution is #34.

I think you still need to post through some parameters - for instance the Xero API still needs the "xml" parameter when creating new objects etc, and it seems like that shouldn't be in the Authorization header from looking at the spec.

I may be wrong though, if so, please correct me! :)


@nikz Yes, seems to be exactly the same problem! I think your solution is better since it doesn't exclude other parameters (I didn't think of that). But I think it should do it for the GET method too (since this is a valid method for this), not just POST, in which case you'll need to do something similar to jnormore@a67b05f#L0R280 for the authorize request.


You are quite right! The solution looks good too - I'll try to get a chance to pull that change across from you today (if you get there before me let me know)


@nikz A month late but I finally got around to adding this if you're interested, I pretty much copied your change for that part


@jnormore looks sweet! :+1:

@mattt mattt merged commit b7e628a into AFNetworking:master

@jnormore @nikz Thank you both for your pull requests. I just merged this in, and will tag this as a new release as soon as I finish clear out a few more open issues. Cheers!


Glad we could help :)

(Thank you for AFNetworking and all of the other great open source stuff you've released!)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Mar 19, 2013
  1. @jnormore

    Updates requestWithMethod:path:params to not use post or query params…

    jnormore authored
    …. Updates authorization request to use query params.
Commits on Apr 23, 2013
  1. @jnormore
This page is out of date. Refresh to see the latest.
Showing with 13 additions and 3 deletions.
  1. +13 −3 AFOAuth1Client/AFOAuth1Client.m
16 AFOAuth1Client/AFOAuth1Client.m
@@ -277,10 +277,12 @@ - (void)authorizeUsingOAuthWithRequestTokenPath:(NSString *)requestTokenPath
NSMutableDictionary *parameters = [NSMutableDictionary dictionary];
[parameters setValue:requestToken.key forKey:@"oauth_token"];
+ NSMutableURLRequest *request = [super requestWithMethod:@"GET" path:userAuthorizationPath parameters:parameters];
+ [request setHTTPShouldHandleCookies:NO];
- [[UIApplication sharedApplication] openURL:[[self requestWithMethod:@"GET" path:userAuthorizationPath parameters:parameters] URL]];
+ [[UIApplication sharedApplication] openURL:[request URL]];
- [[NSWorkspace sharedWorkspace] openURL:[[self requestWithMethod:@"GET" path:userAuthorizationPath parameters:parameters] URL]];
+ [[NSWorkspace sharedWorkspace] openURL:[request URL]];
} failure:^(NSError *error) {
if (failure) {
@@ -349,7 +351,15 @@ - (NSMutableURLRequest *)requestWithMethod:(NSString *)method
path:(NSString *)path
parameters:(NSDictionary *)parameters
- NSMutableURLRequest *request = [super requestWithMethod:method path:path parameters:parameters];
+ NSMutableDictionary *requestParameters = [parameters mutableCopy];
+ for (NSString* parameterName in parameters) {
+ if ([parameterName hasPrefix:@"oauth_"]) {
+ [requestParameters removeObjectForKey:parameterName];
+ }
+ }
+ NSMutableURLRequest *request = [super requestWithMethod:method path:path parameters:requestParameters];
[request setValue:[self authorizationHeaderForMethod:method path:path parameters:parameters] forHTTPHeaderField:@"Authorization"];
[request setHTTPShouldHandleCookies:NO];
Something went wrong with that request. Please try again.