A bug when useing "POST" Verb to get accessToken #368

Closed
fellow99 opened this Issue Mar 28, 2013 · 8 comments

3 participants

@fellow99

It is not working when the third party API only supported "POST" Verb to get accessToken. Try to link Box API (http://developers.box.com/oauth/).

I fixed some code at org.scribe.oauth.OAuth20ServiceImpl

public Token getAccessToken(Token requestToken, Verifier verifier)
{
OAuthRequest request = new OAuthRequest(api.getAccessTokenVerb(), api.getAccessTokenEndpoint());
request.addQuerystringParameter(OAuthConstants.CLIENT_ID, config.getApiKey());
request.addQuerystringParameter(OAuthConstants.CLIENT_SECRET, config.getApiSecret());
request.addQuerystringParameter(OAuthConstants.CODE, verifier.getValue());
request.addQuerystringParameter(OAuthConstants.REDIRECT_URI, config.getCallback());
if(config.hasScope()) request.addQuerystringParameter(OAuthConstants.SCOPE, config.getScope());

if(api.getAccessTokenVerb().equals(Verb.POST)){
    request.addBodyParameter("grant_type", "authorization_code");
    request.addBodyParameter(OAuthConstants.CLIENT_ID, config.getApiKey());
    request.addBodyParameter(OAuthConstants.CLIENT_SECRET, config.getApiSecret());
    request.addBodyParameter(OAuthConstants.CODE, verifier.getValue());
    request.addBodyParameter(OAuthConstants.REDIRECT_URI, config.getCallback());
    if(config.hasScope()) request.addBodyParameter(OAuthConstants.SCOPE, config.getScope());
}

Response response = request.send();
return api.getAccessTokenExtractor().extract(response.getBody());

}

@fernandezpablo85

is this a question or what?

@fellow99

it's a bug. You could test it connecting Box API (http://developers.box.com/oauth/)

@fellow99

API implement:
public class BoxOAuth2API extends DefaultApi20 {
//http://developers.box.com/docs/
private static final String AUTHORIZE_URL = "https://www.box.com/api/oauth2/authorize?client_id=%s&redirect_uri=%s&response_type=code";
private static final String SCOPED_AUTHORIZE_URL = AUTHORIZE_URL + "&scope=%s";

@Override
public Verb getAccessTokenVerb() {
    return Verb.POST;
}

@Override
public AccessTokenExtractor getAccessTokenExtractor() {
    return new JsonTokenExtractor();
}

@Override
public String getAccessTokenEndpoint() {
    return "https://www.box.com/api/oauth2/token?grant_type=authorization_code";
}

@Override
public String getAuthorizationUrl(OAuthConfig config) {
    // Append scope if present
    if (config.hasScope()) {
        return String.format(SCOPED_AUTHORIZE_URL, config.getApiKey(),
                OAuthEncoder.encode(config.getCallback()),
                OAuthEncoder.encode(config.getScope()));
    } else {
        return String.format(AUTHORIZE_URL, config.getApiKey(),
                OAuthEncoder.encode(config.getCallback()));
    }
}

}

@fernandezpablo85

"it's not working" doesn't say a thing, instead of pasting your code here please put the error message you're getting

@ejain

Just ran into the same problem with another service (Netatmo) that follows the OAuth2 spec more strictly than others. The problem is is that even though you can override getAccessTokenVerb() to return Verb.POST, Scribe still appends all parameters to the query string, rather than sending them in the request body (as the spec requires).

@fernandezpablo85

that's a different issue then, please rephrase

@ejain

For the record, the fix posted by fellow99 works for me.

@fernandezpablo85

Does this look OK to you guys?

#370

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment