Where to get requestToken in callback servlet? #255

Closed
yegor256 opened this Issue Apr 26, 2012 · 20 comments

Comments

Projects
None yet
3 participants

According to your documentation I should get "access token" from LinkedIn with the following code:

OAuthService#getAccessToken(token, verifier);

Where "token" is an instance of Token class. Where do I get it if I only have String received from linkedin server.

I cross-posted this question to LinkedIn forum: https://developer.linkedin.com/forum/where-get-requesttoken-object-callback-servlet

Collaborator

fernandezpablo85 commented Apr 26, 2012

The access_token is not just a String, is two Strings (the accessToken and the accessTokenSecret).

You can then construct the actual Token object via:

Token token = new Token(accessToken, accessTokenSecret);

Yes, access token is not a problem. The problem is where to get requestToken, which is required as the first argument for #getAccessToken(). In callback servlet I receive just one string in oauth_token query param.

Collaborator

fernandezpablo85 commented Apr 26, 2012

Token reqestToken = service.getRequestToken();

So, in callback servlet I will make a new request to the server for a new (!) request token, ignoring the value passed to me in oauth_token? Is it a correct behavior?

This example doesn't have a servlet with a callback (I read it already). In my case, I have a servlet that receives a HTTP GET request from LinkedIn with oauth_token and oauth_verifier. I can't understand how I can user getAccessToken() from your library, if I don't have a Token object. And when I'm trying to create it like new Token(oauth_token, "") - LinkedIn complains.

Am I the first one using the library for authentication? :)

Collaborator

fernandezpablo85 commented Apr 26, 2012

Am I the first one using the library for authentication? :)

Actually, no. You're not.

You are indeed the first one that doesn't know how to share a simple (serializable) object between 2 http requests.

Well, according to OAuth spec (and LinkedIn documentation) a request for access token doesn't need oauth_token_secret received in the first request (for request token). Right?

If so than why Scribe requires Token in getAccessToken() instead of a String?

Collaborator

fernandezpablo85 commented Apr 26, 2012

Scribe's model is not the exact same as the OAuth spec (you won't find the concept of Provider in scribe, for example).

The getAccessToken step means actually "Exchange the request token for the access token" so I thought that intent should be clear in scribe's Api.

If you want to get from a String to a Token object, you can do:

Token t = new Token(requestToken, requestTokenSecret);

If you don't have the requestTokenSecret just pass in an empty string ""

That was my first thought, to use an empty string (as I mentioned above). But in this case Scribe generates a request to LinkedIn without oauth_signature parameter and LinkedIn rejects such a request. I will test again, but looks like an empty string is not a valid option.

Do you have any open source example of Scibe usage in servlets with callback (with LinkedIn)?

Collaborator

fernandezpablo85 commented Apr 26, 2012

Do you have any open source example of Scibe usage in servlets with callback (with LinkedIn)?

No.

I afraid that there is a defect in the library. I will find out where exactly and report in a new ticket.

Actually, would be great to add Token(String) constructor to Token class. In that case similar question would be resolved automatically.

Collaborator

fernandezpablo85 commented Apr 26, 2012

I afraid that there is a defect in the library. I will find out where exactly and report in a new ticket.

Please do.

Actually, would be great to add Token(String) constructor to Token class. In that case similar question would be resolved automatically.

There can't be a Token without a token secret, so that's out of the question.

Hm.. so why are you suggesting to use an empty string, when you know that there should be a real secret key there? :) I'm lost.

If there has to be a real secret key than the only way to work with LinkedIn is to persist requestToken-s inside the servlet (in a static map, or file, or session, etc). But definitely not what your documentation is suggesting (I mean service.requestToken() again, inside the callback). Am I right (I'm rather new to OAuth)?

Collaborator

fernandezpablo85 commented Apr 26, 2012

Man, just persist the Token object between requests. It's not that hard.

It's easy, no doubts, but it took a few hours before I understood that I should do it :)

Would be great if you can mention this in the "Getting Started" guide. Just a few words: "Keep in mind that in callback servlet you should use the same Token object you retrieved before. Thus, you should persist it somewhere."

Besides that your library rocks. I'm using it :)

Collaborator

fernandezpablo85 commented Apr 26, 2012

I'll mention it on the getting started. Thanks for the suggestion! :)

Hm, I also would like to save the Token, but I cant. I always get java.lang.UnsupportedOperationException: Unsupported operation, please use 'getAuthorizationUrl' and redirect your users there

I am using Google2Api.class.

Collaborator

fernandezpablo85 commented Jul 24, 2014

When are you getting that error? Scribe doesn't save anything, what do you mean by "would like to save the Token but I can't"?

Hi!

Sorry for my cryptic question, but I was so wasted yesterday. I wanted to do a Google-Login according to this blog post: http://oneminutedistraction.wordpress.com/2014/04/29/using-oauth-for-your-javaee-login/

I could not call the request token because unsupportedOperation and always get an error back. But maybe Google2Api.class (https://gist.github.com/yincrash/2465453) is old or something.

Some other says, I dont need any token.

Now we have just down a Facebook-Login, which seems much easier to me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment