Goodreads Developers discussion
bugs
>
Missing oauth_verifier parameter on user auth redirect
date
newest »
newest »
Yes, I am using the first one listed under Javascript at oauth.com/code. Along with that I am following the steps here verbatim.The step at Appendix A.3 "Request User Authorization" has the service provider returning a set of query params, among them 'oauth_verifier'.
The next step for A.4 "Requesting an Access Token" requires the verifier token in order to successfully retrieve an Access Token. The Goodreads user authentication only supplies the oauth_token parameter after user verification.
That's where I'm blocked. I need an access token in order to find out who a user is (since user auth doesn't give me a reference to the actual user).
can you post your code sample? (make sure to obscure any private keys though).
I was actually inquiring a bit more on the 500 error, as that's signifying an error on the server's side. I posted my full request (which should be all you need) in my initial post - and really, beyond the library I'm using, there isn't any extraneous code outside of the HTTP requests.Keep in mind that I am successfully retrieving both a request token and authorization of a user. If you'd like me to post those successful requests as well, let me know.
Hey Mitch, I am not sure why that's happening, to be honest. I asked other engineers here at Goodreads to see if they know better, I'll report when we have a better answer. What I can say others have successfully retrieved the access token without using oauth_verifier param. We have some examples of apps here in the forum, many are open source. So you could inspect their code and maybe translate it to JavaScript?
Is there any solution for this yet? The oauth_verifier still isn't being sent back.Also, it would be nice if your system could check whether the supplied callback url already includes parameters and if so appends to it, instead of forcing a '?' regardless at the beginning of the parameters you add.
We're getting '?oauth_token' as a parameter instead of just oauth_token
Hi Mitch and Novellio,I hit a similar issue to you when I tried to get an oAuth token from Java; maybe my findings will be useful to you.
First, oauth_verifier not being sent back at the authorization callback step. This was surprising to me too. I read the following section from the oAuth Bible:
http://oauthbible.com/#oauth-10a-thre...
To quote:
"On Step 6 if the oauth_verifier has not been set, this is a failed OAuth 1.0a 3-Legged implementation and probably only requires the oauth_token to be sent. Rarely seen but they exist."
So, I removed any reference to setting verifier in my code; still didn't work. The piece which made it work for me was setting the *temporary token*'s secret as the token shared secret when signing the access token request. Maybe this would also work for you?
Here is a repo I created with a working sample (Java) in case it helps:
https://github.com/davecahill/goodrea...
Thanks,
Dave.
Could we get the oauth_verifier implemented? While you can work around it with most libraries, it really ought to be there.
Something similar just happened to me when using OAuthSwift on iOS. It took me a long time to figure out what the problem was, but once I did I found out OAuth1Swift objects have an "allowMissingOauthVerifier" property; I set it to true and now everything works.
Yeah, would like to see oauth_verifier implemented as well. Caused a bit of a hiccup, I ended up using the value "authorize" (which is '1') in it's place and it seemed to get the library I'm using back on the right track. Not sure why parameters are getting renamed outside of the spec though.
Below is the method, API endpoint, the Authorization header, and the POST body. As a sidenote, I've also tried this as plain HTTP with PLAINTEXT encoding, which did not work either. Also, if I don't send a POST body, but instead make those token params part of the Authentication data, I get a very vague 'Invalid OAuth Request' error. The request below is what results in a 500:
POST https://www.goodreads.com/oauth/acces...
Authorization: OAuth oauth_consumer_key="xxxx", oauth_nonce="xxxx", oauth_signature="xxxx", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1413406916", oauth_version="1.0"
oauth_token=xxxx&oauth_token_secret=xxxx
I am obtaining the oauth_token and oauth_token_secret values correctly via /request_token (which is the values above). It just seems like the /access_token endpoint is the bad one.
My first thought is that the /oauth/authorize redirect doesn't include an 'oauth_verifier' parameter, which is something that I believe is required...if not, then is there any idea as to why I'm getting a 500?