wip/proposal #1
wip/proposal #1
Conversation
| account = AuthorizedStorageAccount.objects.get( | ||
| _temporary_oauth1_credentials__in=OAuth1TemporaryCredentials.objects.filter_by_oauth1_temporary_token( | ||
| temporary_oauth_token | ||
| ) | ||
| ) |
There was a problem hiding this comment.
this won't work as token from request.GET["oauth_token"] is different to temporary_oauth_token obtained before forming auth url. I tested it. If this wasn't a case, I would've implemented it in the same way as you
There was a problem hiding this comment.
hmm ok that seems to agree with example code in zotero docs, which uses the new token for the next request...
//set the token we got back from the provider and the secret we saved previously for the exchange.
$oauth->setToken($_GET['oauth_token'], $request_token_info['oauth_token_secret']);
...but i've been confused because that seems to disagree with oauth1, both rfc-5849
[...] The server constructs the request URI by adding the
following REQUIRED parameters to the callback URI query component:
oauth_token
The temporary credentials identifier received from the client.
oauth_verifier
The verification code.
and 1.0a
[...], and directs the User's web browser to that URL with the following parameters added:
oauth_token:
The Request Token the User authorized or denied.
oauth_verifier:
The verification code.
so i'd assumed the temporary token was meant to be shared across all the requests in a given auth attempt -- implementing zotero's way (with account id in the session) seems fine, since it supports services whether they use the temporary token once or twice
There was a problem hiding this comment.
I guess it indeed was, Zotero's just an exemption and the only OAuth1.0a service we have (as of now)
2 participants
(elaboration on CenterForOpenScience#78 (comment) )
poking at what a separate
OAuth1TemporaryCredentialsmodel might look like