Description
In Python 3, the return value of SignatureMethod_HMAC_SHA1.Sign is a bytes object, not a string. This is problematic for implementing 2-legged OAuth (such as under LTI, described here: https://www.imsglobal.org/specs/ltiv2p0/implementation-guide#toc-58) because the signature of a request is used in an immediate comparison against request parameters (which are strings) as opposed to sent out in a request and compared by the recipient server.
By way of example, the following code, which attempts to do a 2-legged OAuth check on an incoming Django request, will raise an erroneous Invalid Signature error from verify_request because the signature in the request is a string object and the signature returned by SignatureMethod_HMAC_SHA1.Sign is a bytes object:
oauth_server = oauth2.Server()
signature_method = Python3_SignatureMethod_HMAC_SHA1()
oauth_server.add_signature_method(signature_method)
oauth_consumer = oauth2.Consumer(consumer_key, consumer_secret)
oauth_request = oauth2.Request.from_request(
request.method, request.build_absolute_uri(),
headers=request.META, parameters=request.POST.dict()
)
oauth_server.verify_request(oauth_request, oauth_consumer, {})
It looks from SignatureMethod_PLAINTEXT.sign (which uses encode on the return value) that these might be intentionally bytes objects instead of unicode. Is this the case or is this an artifact of python 2's string/unicode handling?