MySpace OAuth Problems within the MySpace OpenSocial App Environment
This article describes some of the problems and workarounds of the OAuth implementation on MySpaces and howto integrage OpenSocial implementations.
_
Most of this article is related to developers of Apps and how to integrate properly into MySpace and which workarounds to use.
Signatures of Requests
One way to secure the communication between the MySpace server and your App as an application developer is, to use signed requests. A signed request secures the communication between two interactors. For you as an application developer it secures that the user on which behalve the request is made, is properly authenticated to MySpace.
In order to get the communication right several libraries and articles exists to guide you to the right implementation. Unfortunately - as with most software - there are some bugs around which keep you from proper operaions. On MySpace there are plenty of them, this is no quality problem but is surely related to the dynamic of app integration into the MySpace plattform.
On of the problems is related to their OAuth implementation.
MySpace OAuth Implementation
MySpace has its own implementation of an OAuth library - which is definitly something else than the available libraries on the OAuth site. Some of the bugs have already been removed but one is especially preventing developers from beeing properly integrated: This is the signature validation.
The OAuth signature validation on MySpace is based on the HMAC-SHA1 algorithm, which is very well documented on the OAuth site.
Problem/ Bug of sorting
The OAuth specification depicts in chapter 9.1.1 that the base string contains an ordered set of parameters.
These parameters should be Parameters are sorted by name, using lexicographical byte value ordering. If two or more parameters share the same name, they are sorted by their value.
Not everyone has a clear understanding of a lexicographical byte value ordering. In fact it is pretty simple for anyone involved in the depths of computer science: It means sort them first by parameter name and if equal by parameter value and take the lexicographical ordering as a metric.
Let me deconstruct the meanings: a byte value is nothing special in this environment because everything has been already taken down to ASCII characters, that means even multi-byte sequences are already old fashioned byte values or escaped counterparts. Now it comes down to compare simple strings, which is done on their character values. The only especialty happens if on string is longer than the other, in that case the longer comes before the shorter one. - Thats is.
If you check the mail groups and discussions you could see how many people think that this could imply a case insensitive ordering or something similar, even by referencing the correct definitions, but with wrong conclusions.
However, the guys at MySpace took into their algorithm a case insensitive ordering.
Workaround on MySpace OAuth Bug
The workaround is pretty simple implement a simple case insensitive ordering of the parameters and your signature comparrision will work.
In Java the workaround will be something simple like this:
Take a case insensitive comparator:
import java.util.Comparator;
public class IgnoreCase implements Comparator<String> {
@Override
public int compare(String o1, String o2) {
if(o1!=null){
return o1.compareToIgnoreCase(o2);
}else{
if(o1==null && o2!=null){
return 0;
}else{
return 1;
}
}
}
}
And build your base-string of the arguments (args-array) like this:
argList = new TreeMap(new IgnoreCase());
for (String key : args.keySet()) {
if (!"oauth_signature".equals(key)) {
String [] vals = pargs.get(key);
if(vals.length>1){
Arrays.sort(vals);
}
argList.put(key, vals);
}else{
signature = pargs.get(key)[0];
}
}
Now you could verify the signature results, as expected.
last updated 2008-11-16
Taekwon-Do Online Registration Service | Ratgeber Gesundheit
(C) 2008 S. Gorr. All rights reserved