“...I've been working since 2008 with Ruby / Ruby on Rails, love a bit of Elixir / Phoenix and learning Rust. I also poke through other people's code and make PRs for OpenSource Ruby projects that sometimes make it. Currently working for InPay...”

Rob Lacey (contact@robl.me)
Senior Software Engineer, Brighton, UK

Day 10: OAuth, Rails and Myspace

Currently wrestling with verifying requests from Myspace. Found this same code on the Myspace developer forum and posted from Jarkko Laine on a the following Google group this hopefully this should be on the right tracks. It wasn’t working immediately.

I assumed that OAuth was purely for the remote server-side working as a client for accessing remote protected resources. It appears that you get oauth parameters passed through with the initial request to your iFrame when viewing a Canvas. This can be verified by the application server to ensure the incoming request is from Myspace and the ‘opensocial_viewer_id’ in fact relates to the Myspace user who is looking at your application.

CONSUMER_KEY = "xxxxxxxx"
CONSUMER_SECRET = "yyyyyyyy"

 require 'oauth'
 require 'oauth/consumer'
 require 'oauth/request_proxy/action_controller_request'  

  def oauth_required
    consumer = OAuth::Consumer.new(CONSUMER_KEY, CONSUMER_SECRET)

    begin
      signature=OAuth::Signature.build(request) do
        # return the token secret and the consumer secret
        [nil, consumer.secret]
      end
      pass = signature.verify
      logger.info "Signature verification returned: #{pass}"
    rescue OAuth::Signature::UnknownSignatureMethod => e
      logger.error "ERROR"+ e.to_s
    end

    render :text => "OAuth access denied", :status => :unauthorized  unless pass
  end

signature.verify always seemed to always return false, after initially following these two threads thinking that the problem was because the signature was actually escaped incorrectly. This in fact is a problem that is resolved in 0Auth 0.3.2.

http://groups.google.com/group/oauth-ruby/browse_thread/thread/950b62587ec94d50?pli=1

http://groups.google.com/group/oauth-ruby/browse_thread/thread/63e8ba8200768da2

I realised it was my error entirely. I made an assumption that the ApplicationPlatform was purely for opensocial and MyspaceID was purely for OAuth/REST. So I was using entirely the wrong oauth key/secret. Having only two applications setup I didn’t notice the ApplicationPlatform also had OAuth keys and in fact you can use OAuth with it too…in fact you need to in order to verify the incoming requests.

I’ve simplified the code from above as not all of it is needed.

def oauth_required

  key     = 'xxxxxxxx'
  secret  = 'yyyyyyyy'

  consumer = OAuth::Consumer.new(key, secret)

  verified = OAuth::Signature.verify(request) do
    [nil, consumer.secret]
  end
  
  unless verified
    render :text => "OAuth access denied", :status => :unauthorized
  end

end

More Myspace / Rails code examples

http://developer.myspace.com/Community/forums/p/3626/15947.aspx

http://blog.bittercoder.com/CategoryView,category,OAuth.aspx