We’re implementing a simple 2 legged OAuth1a conversation between a .Net MVC4 WebApi app using DNOA and a Java app using Spring Security. In implementing the Delegating MessageHandler to verify the incoming request, DNOA seems to insist on having the token in the request. The Spring implementation doesn’t need the token. My feeling is that the .Net implementation isn’t correct in some way.
Here is the handler, and this works if I send it with a token.
TokenManager tokenManager = new TokenManager();
var requestW = new HttpRequestWrapper(HttpContext.Current.Request);
var sp = new ServiceProvider(Constants.SelfDescription, tokenManager, new NonceStore());
try
{
var auth = sp.ReadProtectedResourceAuthorization(requestW);
if (auth != null)
{
//verfy etc etc
}
catch(Exception)
{ //return UnAuthorized response }
return base.SendAsync(request, cancellationToken);
}
In this code I get an exception on the ReadProtectedResourceAuthorization call that says it received an UnauthorizedRequest.
So what should the flow for this look like? Most everything I see says the token isn’t required for this type of flow, but DNOA seems to insist on it. Any insight is appreciated.
It sounds like what you’re trying to do is actually 0-legged OAuth (by my terminology anyway, since there are none of the original 3 legs of OAuth in what you’re trying to do). At least I gather from your description that your access token and access token secret is empty and all you have are consumer key and secret.
If I recall correctly, DNOA doesn’t support an empty access token (since that’s not allowed in the OAuth 1 spec).
Possible alternatives you can try: