1. David Larlet
  2. django-oauth-plus
  3. Issues
Issue #10 resolved

Malformed callback URL when user denies authorization

David Eyk
created an issue

The callback URL I'm getting in the Location header on authorization rejection is malformed.

According to the docs, I should expect something like this:

{{{ http://printer.example.com/request_token_ready?oauth_verifier=...&error=Access+not+granted+by+user. }}}

But I'm actually getting this:

{{{ http://printer.example.com/request_token_ready&error=Access+not+granted+by+user. }}}

Not only is it missing the {{{oauth_verifier}}} argument, but it's missing the query-string character ({{{?}}}) altogether.

I've posted a test to demonstrate the problem here: https://gist.github.com/1110475 (the second test fails).

Comments (6)

  1. David Larlet repo owner

    Hi David,

    I just attached a diff with the fix of the issue related to the encoding of arguments in URLs (? vs &) but considering your problem with the missing oauth_verifier argument, I think it's not possible to add it at this step of the process because the token hasn't been verified yet (and will not be because the user refused it).

    Is your interpretation of the specification different?

    Thanks a lot for your example test, very useful to spot the bug and fix it. I'm waiting for you to test before commiting it.


  2. David Eyk reporter

    Thanks for getting back with a patch so quickly. I've confirmed that the patch fixes the ? character.

    I'm not at a point where I *have* an interpretation of the spec yet. :) I'm basing this particular test on line 331 of oauth_provider/tests.py, which has an oauth_verifier argument.

    I'm writing my own test suite partly because I'm trying to understand the OAuth workflow better, and partly because the included doctests don't pass. I'm not familiar with doctest output, so I find it difficult to read. I'm not sure if the tests are failing because they're broken (as they appear to be in this case) or because integration with my project has invalidated certain assumptions.

  3. Log in to comment