python-oauth2 icon indicating copy to clipboard operation
python-oauth2 copied to clipboard

Published 20 hours ago verified publisher icon joestump

Redirect & Duplicate Query String Parameters

Open nadersoliman opened this issue 11 years ago • 1 comments

Hello,

In case of 30X redirect on a GET, httplib2 calls back on oauth2 client.request with new location, and body filled with oauth tokens. oauth2 client.request then generates new oauth tokens and appends the body causing a duplicate oauth tokens in the request.

In httplibe2/init.py:1385

                        (response, content) = self.request(
                            location, method=redirect_method,
                            body=body, headers=headers,
                            redirections=redirections - 1)

This call back to oauth2.Client.request will sign a url that already contains oauth signature parts, and append them to the url causing duplicate oauth signature. This causes troubles to some backends, in my case it was odesk backend.

As per RFC2616[1], Location header on a redirect contains an absolute uri not a base uri. As per RFC3986[2], absolute uri can contain query string parameters

[1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.30 [2] http://tools.ietf.org/html/rfc3986#page-27

nadersoliman avatar May 31 '14 12:05 nadersoliman

Thanks for reporting this @nadersoliman

jaitaiwan avatar Jul 29 '15 12:07 jaitaiwan