starred/OAuthSwift
1
0
Fork 0
mirror of https://github.com/OAuthSwift/OAuthSwift.git synced 2026-04-26 12:45:52 +03:00
Code Issues 56 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #140] OAuth1 exchange fails due token secret being URL encoded. #85

New issue
Closed
opened 2026-03-03 16:45:33 +03:00 by kerem · 0 comments
kerem commented 2026-03-03 16:45:33 +03:00
Owner
Copy link

Originally created by @pculligan on GitHub (Nov 9, 2015).
Original GitHub issue: https://github.com/OAuthSwift/OAuthSwift/issues/140

In using the OAuth1 provider via the OAuthSwiftDemo the initial token request works, but once the credential's oauth_token_secret is assigned, all signatures fail.

Step 1: Request token

POST /platform/oauth/request_token HTTP/1.1
Authorization: OAuth realm="", oauth_callback="oauth-swift%3A%2F%2Foauth-callback%2Fjdcloud", oauth_consumer_key="johndeere-3WuO2CyXvjOAvq5HyQ4C657B", oauth_nonce="1446926761", oauth_signature="ej%2FrsK%2BYoKzQJr8vXqRLc3X81I0%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="492373033280972651", oauth_version="1.0"

Note that there is no token at this stage, so the signature is fine, and we get a token and secret back.

HTTP/1.1 200 OK
oauth_token=cb88aa77-6e26-499a-806a-52590d57785b&oauth_token_secret=Q3StNc9bb4n4AF%2FvyiIeiRjwmjqsaBxWWF73wUpqxjjYADLuXRsPrE2sgqLedQmdABSjL9SqDGKEwrc5ZXdow1LiNk7kWQ8K2OY6xp2bRJI%3D&oauth_callback_confirmed=true

When we try to authorize during step 2 however, I get a 401, constantly. After tracing, I found that in the OAuth1Swift.swift file the method takes the callback URL directly.

// 1. Request token
public func postOAuthRequestTokenWithCallbackURL(callbackURL: NSURL, success: TokenSuccessHandler, failure: FailureHandler?) {

...

}

// 3. Get Access token
func postOAuthAccessTokenWithRequestToken(success: TokenSuccessHandler, failure: FailureHandler?) {

...

}

Within the method, the QueryString is parsed by the parametersFromQueryString method into parameters.

    func parametersFromQueryString() -> Dictionary<String, String> {
        var parameters = Dictionary<String, String>()

        let scanner = NSScanner(string: self)

        var key: NSString?
        var value: NSString?

        while !scanner.atEnd {
            key = nil
            scanner.scanUpToString("=", intoString: &key)
            scanner.scanString("=", intoString: nil)

            value = nil
            scanner.scanUpToString("&", intoString: &value)
            scanner.scanString("&", intoString: nil)

            if (key != nil && value != nil) {
                parameters.updateValue(value! as String, forKey: key! as String)
            }
        }

        return parameters
    }

However these are used directly, never decoded in either the postOAuthRequestTokenWithCallbackURL or postOAuthAccessTokenWithRequestToken methods.

            self.client.credential.oauth_token = parameters["oauth_token"]!
            self.client.credential.oauth_token_secret = parameters["oauth_token_secret"]!

I have a local edit that tests out and will submit a PR shortly.

            if let oauthToken=parameters["oauth_token"] {
                self.client.credential.oauth_token = oauthToken.stringByRemovingPercentEncoding!
            }
            if let oauthTokenSecret=parameters["oauth_token_secret"] {
                self.client.credential.oauth_token_secret = oauthTokenSecret.stringByRemovingPercentEncoding!
            }
Originally created by @pculligan on GitHub (Nov 9, 2015). Original GitHub issue: https://github.com/OAuthSwift/OAuthSwift/issues/140 In using the OAuth1 provider via the OAuthSwiftDemo the initial token request works, but once the credential's `oauth_token_secret` is assigned, all signatures fail. Step 1: Request token ``` POST /platform/oauth/request_token HTTP/1.1 Authorization: OAuth realm="", oauth_callback="oauth-swift%3A%2F%2Foauth-callback%2Fjdcloud", oauth_consumer_key="johndeere-3WuO2CyXvjOAvq5HyQ4C657B", oauth_nonce="1446926761", oauth_signature="ej%2FrsK%2BYoKzQJr8vXqRLc3X81I0%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="492373033280972651", oauth_version="1.0" ``` Note that there is no token at this stage, so the signature is fine, and we get a token and secret back. ``` HTTP/1.1 200 OK oauth_token=cb88aa77-6e26-499a-806a-52590d57785b&oauth_token_secret=Q3StNc9bb4n4AF%2FvyiIeiRjwmjqsaBxWWF73wUpqxjjYADLuXRsPrE2sgqLedQmdABSjL9SqDGKEwrc5ZXdow1LiNk7kWQ8K2OY6xp2bRJI%3D&oauth_callback_confirmed=true ``` When we try to authorize during step 2 however, I get a 401, constantly. After tracing, I found that in the OAuth1Swift.swift file the method takes the callback URL directly. ``` Swift // 1. Request token public func postOAuthRequestTokenWithCallbackURL(callbackURL: NSURL, success: TokenSuccessHandler, failure: FailureHandler?) { ... } // 3. Get Access token func postOAuthAccessTokenWithRequestToken(success: TokenSuccessHandler, failure: FailureHandler?) { ... } ``` Within the method, the QueryString is parsed by the `parametersFromQueryString` method into `parameters`. ``` func parametersFromQueryString() -> Dictionary<String, String> { var parameters = Dictionary<String, String>() let scanner = NSScanner(string: self) var key: NSString? var value: NSString? while !scanner.atEnd { key = nil scanner.scanUpToString("=", intoString: &key) scanner.scanString("=", intoString: nil) value = nil scanner.scanUpToString("&", intoString: &value) scanner.scanString("&", intoString: nil) if (key != nil && value != nil) { parameters.updateValue(value! as String, forKey: key! as String) } } return parameters } ``` However these are used directly, never decoded in either the `postOAuthRequestTokenWithCallbackURL` or `postOAuthAccessTokenWithRequestToken` methods. ``` self.client.credential.oauth_token = parameters["oauth_token"]! self.client.credential.oauth_token_secret = parameters["oauth_token_secret"]! ``` I have a local edit that tests out and will submit a PR shortly. ``` if let oauthToken=parameters["oauth_token"] { self.client.credential.oauth_token = oauthToken.stringByRemovingPercentEncoding! } if let oauthTokenSecret=parameters["oauth_token_secret"] { self.client.credential.oauth_token_secret = oauthTokenSecret.stringByRemovingPercentEncoding! } ```
kerem 2026-03-03 16:45:33 +03:00
  • closed this issue
  • added the
    bug
         label
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
ci/action/danger
ci/action/release-drafter
pkce
ci/action/tvos
ci/travis
2.1.0
2.0.0
fix/fitbiterror
swift3
digu-demo
swift3.0objc
swift2.2
swift2.3
swift2.0
2.2.0
2.1.2
2.1.1
2.1.0
2.0.1
2.0.0
1.4.1
1.4.0
1.3.0
1.2.2
1.2.1
1.2.0
1.1.2
1.1.1
1.1.0
1.0.0
0.6.0
0.5.2
v0.5.2
0.5.1
0.5.0
0.4.8
0.4.6
v0.4.6
0.4.5
v0.4.5
0.4.4
v0.4.4
0.4.3
0.4.2
0.4.1
v0.4.1
0.4.0
v0.4.0
Swift1.x
0.3.7
v0.3.7
0.3.6
v0.3.6
0.3.5
v0.3.5
0.3.4
v0.3.4
0.3.3
v0.3.3
v0.3.2
0.3.2
0.3.1
v0.3.1
0.3.0
v0.3.0
0.2.1
0.2.0
v0.2.0
0.1.9
0.1.8
0.1.7
v0.1.7
v0.1.6
Labels
Clear labels   
bug

   
cocoapod

   
duplicate

   
enhancement

   
feature-request

   
help wanted

   
help wanted

   
invalid

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
wontfix
No labels
bug
cocoapod
duplicate
enhancement
feature-request
help wanted
help wanted
invalid
pull-request
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/OAuthSwift#85
No description provided.