Skip to content


Subversion checkout URL

You can clone with
Download ZIP


parameters in http_url incorrectly handled in Request.from_request() #21

rogerm opened this Issue · 3 comments

4 participants


When the http_url parameter is parsed to see if it contains any params, the paramsaren't removed from the url after being added to the parameters variable. Request.get_normalized_parameters() also parses the raw url (why?) when constructing the cignaturebasestring. The combination of these actions is that parameters coming from http_url get included twice in the signature base string.


  • in from_request, after parsing http_url: http_url = http_url.split('?',1)[0]

It's not clear that you need or want to parse the original url again in get_normalized_parameters, it would be cleaner is all constructors and factories ensured that parameters get extracted on creation so you can just use the reqeust dictionary and the normalized url.


I just ran into this issue myself. Is there some reasoning behind the behavior or is it a bug?


I have a similar issue in Request.from_consumer_and_token. Apparently when a URL redirects the request method is invoked twice this means that parameters are copied twice and the URL is signed twice.

Ad hoc fixes (this may break other functionality):

In the Client.request method:

    if 'oauth_token' not in uri:
        req.sign_request(self.method, self.consumer, self.token)

In the Request.from_consumer_and_token method:

    parameters = defaults
    if http_url is not None and '?' in http_url:
        parameters = {}
@maxcountryman maxcountryman referenced this issue from a commit in maxcountryman/python-oauth2
@maxcountryman maxcountryman fixes a problem where redirecting URLs would be populated with twice …
…their original number of parameters, see #21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.