So it turns out that Twitter returns 403 responses when a client is rate limited. ...
14 years, 5 months ago
(2009-11-13 01:58:44 UTC)
#1
So it turns out that Twitter returns 403 responses when a client is rate
limited. This causes the oauth proxy to delete oauth tokens. Not ideal, since
the token is still valid.
I'm modifying our code so that tokens are only dropped when we get a 401
response.
This looks safe. I've tested several OAuth service providers, and they all
return 401 on invalid tokens.
This seems reasonable. I assume you've tested enough service providers to be confident that none ...
14 years, 5 months ago
(2009-11-13 02:09:50 UTC)
#2
This seems reasonable. I assume you've tested enough service providers to be
confident that none of the major ones return these errors regularly for
situations that would cause a problem with this change.
http://codereview.appspot.com/154105/diff/1/3
File
java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/OAuthProtocolException.java
(right):
http://codereview.appspot.com/154105/diff/1/3#newcode102
java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/OAuthProtocolException.java:102:
if (status == 401) {
Maybe use the constants from HttpResponse?
http://codereview.appspot.com/154105/diff/1/6
File
java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/testing/FakeOAuthServiceProvider.java
(right):
http://codereview.appspot.com/154105/diff/1/6#newcode305
java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth/testing/FakeOAuthServiceProvider.java:305:
"consumer_key_unknown", "invalid consumer: " + requestConsumer,
HttpResponse.SC_FORBIDDEN);
I assume htat the use of underscores here indicates something that is checked
programmatically. Constants would be nice for that.
Yep, tested against several service providers. None return 403 for unauthorized. They all return 401 ...
14 years, 5 months ago
(2009-11-13 17:08:07 UTC)
#3
Yep, tested against several service providers. None return 403 for
unauthorized.
They all return 401 for multiple reasons, unfortunately. So there are still
some cases where we will delete a token that might not actually have been
revoked. For example, most service providers can't distinguish between a token
that has been revoked and a bad signature due to bug on our side.
This is still better off than we were before.
I made the switch to using constants in those places.
Issue 154105: don't delete oauth tokens on 403 responses
Created 14 years, 5 months ago by beaton
Modified 14 years, 5 months ago
Reviewers: shindig.remailer_gmail.com, etnu, Paul Lindner
Base URL: https://svn.apache.org/repos/asf/incubator/shindig/trunk/
Comments: 2