Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

OAuth RequestToken no longer works in Rails 3.1 OAuth::Unauthorized: 401 Unauthorized #106

Open
strukturedkaos opened this Issue · 9 comments

6 participants

Don Pottinger Jan Dudulski Vitaly Tatarintsev Alexander Savin Brian Armstrong Luis Barragan
Don Pottinger

I successfully implemented a Rails 3.0.9 app as an OAuth provider using the oauth and oauth-plugin gems. However, to Rails 3.1.3, I'm receiving an 401 Unauthorized error when attempting to get the request token. I'm not sure whether it's an incompatibility with the gem or an issue with Rails 3.1.3.

I've been testing locally with the following:

  • Rails 3.1.3
  • oauth (0.4.5)
  • oauth-plugin (0.4.0.rc2)

Consumer Key: BkdI1PnzRuvKDw2Qs1wVxtDrtvmqhUgeXLwNpNtm Consumer

Secret: eCY7JFk4vK6IeWXVq7yS3OMVT1XKpVOWOImsy3iw

Request Token URL: http://localhost:3000/oauth/request_token

Access Token URL: http://localhost:3000/oauth/access_token

Authorize URL: http://localhost:3000/oauth/authorize

In the console:

ruby-1.9.2-p290 :003 > @consumer = OAuth::Consumer.new 
                                   "BkdI1PnzRuvKDw2Qs1wVxtDrtvmqhUgeXLwNpNtm",
                                   "eCY7JFk4vK6IeWXVq7yS3OMVT1XKpVOWOImsy3iw", 
                                   {:site => "http://localhost:3000"}
=> #<OAuth::Consumer:0x007fe93d5bcdf8 @key="BkdI1PnzRuvKDw2Qs1wVxtDrtvmqhUgeXLwNpNtm",
   @secret="eCY7JFk4vK6IeWXVq7yS3OMVT1XKpVOWOImsy3iw", 
   @options={:signature_method=>"HMAC-SHA1", 
             :request_token_path=>"/oauth/request_token",
             :authorize_path=>"/oauth/authorize",
             :access_token_path=>"/oauth/access_token", 
             :proxy=>nil, 
             :scheme=>:header, 
             :http_method=>:post, 
             :oauth_version=>"1.0", 
             :site=>"http://localhost:3000"}>

ruby-1.9.2-p290 :004 > @consumer.get_request_token
OAuth::Unauthorized: 401 Unauthorized 
from /Users/donpottinger/.rvm/gems/ruby-1.9.2-p290@rails3_1/gems/oauth-0.4.5/lib/oauth/consumer.rb:219:in `token_request'
from /Users/donpottinger/.rvm/gems/ruby-1.9.2-p290@rails3_1/gems/oauth-0.4.5/lib/oauth/consumer.rb:139:in `get_request_token'
from (irb):4
from /Users/donpottinger/.rvm/gems/ruby-1.9.2-p290@rails3_1/gems/railties-3.1.3/lib/rails/commands/console.rb:45:in `start'
from /Users/donpottinger/.rvm/gems/ruby-1.9.2-p290@rails3_1/gems/railties-3.1.3/lib/rails/commands/console.rb:8:in `start'
from /Users/donpottinger/.rvm/gems/ruby-1.9.2-p290@rails3_1/gems/railties-3.1.3/lib/rails/commands.rb:40:in `<top (required)>'
from script/rails:6:in `require'
from script/rails:6:in `<main>'

I've tried downgrading the oauth and oauth-plugin gems, but that doesn't seem to help. The same setup seems to work as expected in Rails 3.0.9. Any help would be greatly appreciated.

Don Pottinger

Bump.

Anyone have any idea what could be going on?

Jan Dudulski

get_request_method wants to get a hash (see: http://oauth.rubyforge.org/rdoc/classes/OAuth/Consumer.html#M000109), but string is provided (https://github.com/pelle/oauth-plugin/blob/master/lib/oauth/controllers/consumer_controller.rb#25 ):

request_url = callback_oauth_consumer_url(params[:id]) + '?' + request.query_string
@request_token = @consumer.get_request_token(request_url)
Vitaly Tatarintsev

I have similar issue. I'm using Rails 3.0.11
All works fine at my localhost but raises 401 Unauthorized in production mode.
Where is some articles describing about difference system time between localhost and productions server. But it's didn't helped me. I've change time at local machine trying to pass :oauth_timestamp nothing

Alexander Savin

I think I have the same issue now with Rails 3.2. When requesting a request_token, I get 401 Unauthorized response. But here is how it looks on server side:

Started POST "/oauth/request_token" for 127.0.0.1 at 2012-04-25 14:11:56 +0300
Processing by OauthController#request_token as /
Rendered text template (0.0ms)
Filter chain halted as #false, :strategies=>:two_legged}, @strategies=[:two_legged]> rendered or redirected
Completed 401 Unauthorized in 56ms (Views: 55.1ms | ActiveRecord: 0.0ms)

Basically it stumbles at this:

provider_controller.rb:
oauthenticate :strategies => :two_legged, :interactive => false, :only => [:request_token]

Any suggestion how this can be fixed and what is going on?

Vitaly Tatarintsev

I'm not sure if I can advertise another gem here, so excuse me. But I've solved this problem by switching to doorkeeper gem

Don Pottinger

Hmm, I may have to keep doorkeeper a shot then.

Alexander Savin

Pretty cool, thanks for the hint!

Brian Armstrong

I had to do a few things to get this working. First the middleware was using find_by_key on ClientApplication which mongoid doesn't support, so I added this:

def self.find_by_key(key)
  ClientApplication.where(key: key).first
end

Then the 401 unauthorized for /oauth/request_token came up. I noticed it was trying to mass assign nonce and timestamp and showed a warning for this. (We have whitelist attributes on).

So I added:

attr_accessible :nonce, :timestamp

to oauth_nonce.rb and it seemed to fix it.

Luis Barragan

I had to do a couple of things to fix the 401 unauthorized issue:

1) Removed the two-legged strategy by adding this to the application controller that I wanted to check:

before_filter oauthenticate :interactive => false, :strategies => [:token]

2) Then added this to the application controller in order to set the request variable to token BEFORE the oauthenticate method is executed

before_filter :oauth_strategies

def oauth_strategies
self.request.env["oauth.strategies"] = [:token]
end

This is just a quick fix to make the basic flow work, there is probably a better solution for this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.