Error in Access Token Response?

Started by Private User on Monday, May 16, 2011

Participants:

Related Projects:

Showing all 8 posts
Private User
5/16/2011 at 3:01 AM

Probably a minor error in the API, but when requesting an access token from https://www.geni.com/oauth/token the returned POST response is tagged as "ContentType = application/json; charset=utf-8", but the data is obviously using ContentType = "application/x-www-form-urlencoded" like this result: access_token=aBlZqgBbjRS6dKxndZthtsI2u7EgOg9tluTfFkIS

As far as I understand the OAuth2 standard the response should be JSON like this:
{ "access_token":"aBlZqgBbjRS6dKxndZthtsI2u7EgOg9tluTfFkIS"}

5/16/2011 at 6:37 AM

I think the JSON in the spec is only an example. Later they use a form-urlencoded example. The spec seems to be ambiguous on that.

I'll add a way to request the specific response type by adding a format parameter (eg format=json).

Private User
5/16/2011 at 9:31 AM

In any case the returned ContentType today tells that the data is json, so this is an error since the content is x-www-form-urlencoded, not JSON (got an error on this)

Private User
5/16/2011 at 9:40 AM

Using a format parameter is not supplied by the spec.

Private User
5/16/2011 at 12:51 PM

The Geni API does not follow the Error Response recommendation of the OAuth2 standard either.

http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-5.2

I tested my app by fabricating some of the errors. - Yes, I am very focused on following (and making) standards ;-)

5/18/2011 at 9:28 AM

Access token responses will be JSON only after the next update.

Background:
Our API test client was relying on an older oauth2 gem which has been updated to work properly with JSON. I've updated the API test client code as well.

5/18/2011 at 10:37 AM

Looks like the JSON update won't be going out with the next update.
We need to notify some of our API users before the change can go live.

Private User
5/19/2011 at 2:58 AM

Thanks.

A summary from a private discussion:

* I discovered that there was no auto-expire on access_token's, resulting in that even three months old access_token examples posted to these discussions gave me API access to all private profiles of that user (including my example above that was temporary deleted until the issue was solved). This is now solved.
Never post examples with valid access_token - that gives everyone an open door to your login, - for me as a curator a valid access_token from me would give everyone curator access to all public profiles in Geni (90 millions?) ;-) Geni should consider betters signing of API requests and not only a simple access_token

* access_token's will expire in 24-hours(?)

* access token responses will be JSON after the next update.

* Calling https://www.geni.com/oauth/invalidate?access_token=<token> will invalidate the token and should be used to log out your application.

* Returned data from request_token will be JSON and also include the expires_in parameter.
Example: http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.1.4

Showing all 8 posts

Create a free account or login to participate in this discussion