5

I've a problem when trying to do a webrequest to UGC and authenticate using oAuth. I'm making a webrequest such as:- 

WebRequest wr = WebRequest.Create("http://ugc.service/odata.svc/Ratings(Id=200)");
wr.Headers["authorization"] = "OAuth " + auth;

Where auth is my token returned from the access_token.svc. According to the documentation the token returned from the service should be something like:-

HufXeuUt%2FYYElA8SYjJOkUkrXxV9dyXRirmKhjW%2Fb%2FU%3D

However, what I'm being returned from access_token.svc is more like:-

{"access_token":"client_id%3dtestuser%26expiresOn%3d1361898714646%26digest%3d%2fW%2fvyhQneZHrm1aGhwOlgLtA9xGWd77hkxWbjmindtM%3d","expires_in":300}

I've parsed the JSON to extract various strings and attempted to pass these through to the authorization but whatever I try I get an error in the logs - "ERROR OAuth2AccessToken - Digest is wrong." Exactly what part of the token and in what format should I be passing through to authorization?

Many thanks

John

Daniel Neagu
  • 1,711
  • 11
  • 13
John
  • 271
  • 2
  • 5
  • Difficult question, I have hardly any experience with OAuth. But I do know that the properties passed through headers are prefixed with oauth_ e.g. oauth_consumer_key, oauth_token. Properties returned seem to me to be usable in a query string. Using an OAuth library might help you a bit. http://oauth.net/code/ – Arjen Stobbe Feb 27 '13 at 07:07
  • 1
    I've retagged to include oauth and odata as this seems like a problem with that rather than Tridion. Try searching for questions around those topics too. – Rob Stevenson-Leggett Feb 27 '13 at 12:35

1 Answers1

5

Like you mentioned, the protocol is this:

  1. You make a post request to the access token end-point to get a token (you need to provide here your client_id and your client_secret as headers or as query parameters);

  2. You get an answer similar to this: {"access_token":"sometoken","expires_in":300}; 2.1 Worth knowing is that the token is url encoded and in UTF-8 format so, on Java side you need to do URLDecoder.decode("sometoken", "UTF-8"); while on .NET side you need to do HttpUtility.UrlDecode("sometoken", System.Text.Encoding.UTF8);;

  3. Your next request needs to include the authorization header. On Java side you do builder.header("authorization", "OAuth " + decodedTokenString); while on .NET side you can use Client.Headers["authorization"] = "OAuth " + DecodedTokenString;

Worth mentioning is that the SharedSecret defined in the cd_webservice_conf.xml (/Configuration/AuthenticationServer/SharedSecret/) of the TokenAccessPoint needs to be the same as the SharedSecret defined in the cd_ambient_conf.xml (/Configuration/Security/SharedSecret/) of the (WebService)EndPoint.

Are you sure you decoded properly the token gotten from the server? Are you sure that you configured the proper SharedSecret in the two configuration files?

Hope this helps.

Daniel Neagu
  • 1,711
  • 11
  • 13
  • Hi Daniel, sorry for not updating on this sooner. It was the decoding of the token, as you correctly pointed out, and an incorrect config value that were causing us the problem. All good now. Thanks, John – John Mar 13 '13 at 08:23