17 Replies Latest reply on Jul 27, 2015 9:31 PM by butch

    !App request OAuth signature verification

    butch

      We're attempting to verify that requests coming from Jive are actually requests coming from Jive to our servers from our !App.  This is important, because we want to ensure that the Jive user sending the request is who they say they are.

       

      This seemed like a good starting point: https://community.jivesoftware.com/docs/DOC-66542

       

      Our !App can successfully issue a request to our server, which receives everything.

       

      osapi.http.post({

              'href': "...",

              "format": "json",

              "authz": "signed",

              "noCache": true

      }).execute(function(r) {

      });

       

      On the server side, we receive all the headers:

       

      Authorization: "JiveEXTN algorithm=HmacSHA256&client_id=...&jive_url=...&tenant_id=...&timestamp=1385749129911&signature=..."

      X-Forwarded-For: "..., ..."

      X-Forwarded-Proto: "http"

      X-Jive-Apps-Market-ID: "..."

      X-Jive-User-Email: "..."

      X-Jive-User-External: "false"

      X-Jive-User-ID: "..."

      X-shindig-dos: "on"

       

      Unfortunately I have yet to find example documentation (both for Jive/OpenSocial/OAuth) on how to properly verify that the signature  sent by Jive is valid.

       

      All i can find in the jive docs is:

       

      The credentials used to generate the signature string, the oauth consumer key and oauth consumer secret, are established at the time of application registration.

       

      I have no idea how I established these credentials, or what these credentials are?  I do know you're using HMAC-SHA1 - which is good.  How is the signature base string constructed?  An example of this would be great (python, php, ruby, java).

       

      Forgive me if I'm not fully grasping all the concepts of OAuth.

       

      Mark Weitzel may have a good example?