oauth-dotnetcore icon indicating copy to clipboard operation
oauth-dotnetcore copied to clipboard

Published 20 hours ago verified publisher icon rhargreaves

Custom parameters added to GetRequestString() are stripped off, resulting in wrong request

Open MikelThief opened this issue 4 years ago • 2 comments

Hello,

Every time I add my own set of parameters to OAuthRequest.GetAuthorizationQuery() they are stripped off the resulting query string. However, the signature is being calculated taking them into consideration. This results in wrong authorization query being returned.

I believe the issue exists since 2.X. The issue lies in line 214 of OauthRequest.cs as my parameters do not begin with oauth_ and I the official standard says nothing about such a restriction

MikelThief avatar Sep 04 '19 20:09 MikelThief

I believe the GetAuthorizationQuery() method is only supposed to return those parameters that are added as part of the OAuth signing. You will need to append the output of that method to your existing URL to get a valid request URL.

See intended usage here:

// Using URL query authorization
string auth = client.GetAuthorizationQuery();
var url = client.RequestUrl + "?" + auth;
var request = (HttpWebRequest)WebRequest.Create(url);

(https://github.com/rhargreaves/oauth-dotnetcore/tree/7267b3a5f3085d05b8e779c6affb3e2be52e23cc#making-requests)

rhargreaves avatar Sep 05 '19 18:09 rhargreaves

Thank you for the answer :)

I currently use the library the following way (fieldString and nodeId are coming from the outside):

var additionalParametersDict = new Dictionary<string, string>
{
    {"fields", fieldsString},
    {"node_id", nodeId.ToString()}
};
return $"{UnderlyingOAuthRequest.RequestUrl}?" +
    UnderlyingOAuthRequest.GetAuthorizationQuery(parameters: additionalParametersDict);

I assumed that since the request string body and its authorization part (nonce) are bonded together should not really strip off parts of data which have real influence on the output.

Would you then recommend to use it like this (assuming ToQuery() method will create a query string of form a=b&c=d)?

var additionalParametersDict = new Dictionary<string, string>
{
    {"fields", fieldsString},
    {"node_id", nodeId.ToString()}
};
return $"{UnderlyingOAuthRequest.RequestUrl}?"
    + UnderlyingOAuthRequest.GetAuthorizationQuery(parameters: additionalParametersDict)
    + additionalParametersDict.ToQuery();

MikelThief avatar Sep 05 '19 19:09 MikelThief