Skip to content

SignatureMethod_HMAC_SHA1.Sign returns bytes not string in python 3 #207

Open
@zags

Description

@zags

In Python 3, the return value of SignatureMethod_HMAC_SHA1.Sign is a bytes object, not a string. This is problematic for implementing 2-legged OAuth (such as under LTI, described here: https://www.imsglobal.org/specs/ltiv2p0/implementation-guide#toc-58) because the signature of a request is used in an immediate comparison against request parameters (which are strings) as opposed to sent out in a request and compared by the recipient server.

By way of example, the following code, which attempts to do a 2-legged OAuth check on an incoming Django request, will raise an erroneous Invalid Signature error from verify_request because the signature in the request is a string object and the signature returned by SignatureMethod_HMAC_SHA1.Sign is a bytes object:

oauth_server = oauth2.Server()
signature_method = Python3_SignatureMethod_HMAC_SHA1()
oauth_server.add_signature_method(signature_method)
oauth_consumer = oauth2.Consumer(consumer_key, consumer_secret)
oauth_request = oauth2.Request.from_request(
    request.method, request.build_absolute_uri(),
    headers=request.META, parameters=request.POST.dict()
)
oauth_server.verify_request(oauth_request, oauth_consumer, {})

It looks from SignatureMethod_PLAINTEXT.sign (which uses encode on the return value) that these might be intentionally bytes objects instead of unicode. Is this the case or is this an artifact of python 2's string/unicode handling?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions