Using token,token secret,Consumer key,Consumer secret,time-stamp,nonce i generate the signature using developer account but it always shows the Signature invalid while connect the fast link of yodlee, May be the generated signature method wrong, Can any one provide the Lib's for generating signature using java.
Could you please provide the request you are generating? Meanwhile, can you please take a look at integration guide present here.
Thanks Apoorv for your replay.
The below url i generated https://fastlink.yodlee.com/appscenter/fastlinksb/linkAccount.fastlinksb.action?access_type=oauthdeeplink&displayMode=desktop&oauth_callback=http://www.google.com&oauth_consumer_key=XXXXXXX&oauth_nonce=her1lk40NpL&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1407732923&oauth_token=9819d4247f9f44959510832bc6688b86&oauth_version=1.0&oauth_signature=IRVbo09jAub0FTtt7uLMPA==
please verify this and letme know what is the mistaken
I noticed this as well after looking at the oAuth 1.0 sample code. If you enter your callback url without the protocol it will work. In your case just enter www.google.com. When you need the protocol you must url encode the querystring parameter.
https://fastlink.yodlee.com/appscenter/fastlinksb/linkAccount.fastlinksb.action?access_type=oauthdeeplink&displayMode=desktop&oauth_callback=http%3A%2F%2Fwww.google.com&oauth_consumer_key=XXXXXXXXXXXXXXX&oauth_nonce=6238157&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1407996476&oauth_token=11232e9a123111111d8a19175663ecd947&oauth_version=1.0&oauth_signature=4RbNDY9z1wC/vMV5neitQa7ZxQM=
While generating the signature you also need to include the URL and parameters. You can find libraries on JAVA for generating signature at Oauth JAVA
Also if you want to invoke the FastLink in a browser for testing then you can use steps from this article
Related
In my Rust Tonic setup, I have configured mTLS (mutual TLS) authentication between client and server.
Now, I would like to use the data stored in client certificate
a) for authorizing access (interceptor)
b) use in providing the service (ie. I want to see Hello Petr if Petr is connecting)
I could not find any examples about this, and traversing Tonic source code didn't help me, too.
After asking on discord channel tokio/tonic, I got the solution (thanks Lucio Franco!) and also found that there actually is an example in tonic (yes my research was not good enough).
For anyone interested, this is the example code:
https://github.com/hyperium/tonic/blob/master/examples/src/tls_client_auth/server.rs
Brief summary:
the request parameter, provided in each method generated for the service, contains parameter peer_certs() which returns all the user certificates.
These can be then iterated, and their bytes parsed. I used crate x509-parser which works great for me, but others might be probably used as well.
I have problem with OCRA generation, the client and server need to agree on one or two values of OCRASuite but I can't find any information about OCRASuite on official PROTECTIMUS site.
Please, check out the following OCRASuite:
OCRA-1:HOTP-SHA1-6:QA40-T1M
I have been playing with JSON-LD a while and am wondering your usage is correct? Shouldn't #context contain a URL? The validator seems to accept both.. the playground on json-ld.org strangely neither. It returns the following error:
{"name":"jsonld.InvalidUrl","message":"Derefencing a URL did not
result in a valid JSON-LD object. Possible causes are an inaccessible
URL perhaps due to a same-origin policy (ensure the server uses CORS
if you are using client-side JavaScript), too many redirects, or a
non-JSON
response.","details":{"url":"http://schema.org","cause":{"name":"jsonld.LoadContextError","message":"URL
could not be dereferenced, an error
occurred.","details":{"url":"http://schema.org","cause":""}}}}
Thanks,
Sam
The context schema.org is correctly understood by Google and the decision to drop the http:// was made in order to simplify the developers' lives.
Check this W3C thread for the complete discussion about this implementation: http://lists.w3.org/Archives/Public/public-rdf-wg/2013May/0183.html
I'm not very expert in this kind of programming, and I know there is several similar questions, but anyone answered exactly that I need.
My team (and I) are developing a Public Key Infrastructure. We are stuck in the key generation (on client side), but we found so few documentation about it.
We know there are these options:
keygen tag --> generates a SPKAC request --> works in Mozilla to internal keystore, token and smartcard
crypto.generateCRMFRequest() --> generates a CRMF Request --> works in Mozilla to internal keystore, token and smartcard
CryptoAPI, CAPI, XEnroll CEnroll --> generates a CSR PKCS#10 (I think so) --> Works in Internet Explorer (we still haven't found code's examples)
Javascript or java Applet (yes I know, both are different) generates in all with sunpkcs11, bouncycastle or iaik API (can't reach any goal)
We found this options. but we don't know how to get the results, how to create to a CSR PKCS#10 request and how to handle it.
please, could you give me an advice about select the strategy, find how to implement and handle results, convert results and so? we are getting crazy!
Example: we know how to use the keygen tag, but we don't know how to set the key to only RSA 2048, and how to handle the SPKAC request to convert in a good CSR signed on SHA256
We tried to develop a Java Applet with iaik API, but the CSR generated had an error.
You are correct on all counts, as far as using browser tags to generate the keypair and/or certificate request. I recommend you take a look at the Odyssi CS project on Sourceforge. It's a very simple CA implementation written in Java/JSP. Take a look at the JSP files and you can see how the various options are being passed to the key generation tags.
Basically, you generate the keypair as part of a form submission. From there, they're available in the same way as any other request parameter. You'll need to know how to decode them on the backend. IE generates the request as a PKCS#10, which is nice since it's a well-documented standard. The SPKAC format isn't as widely used, but there are still good documentation and libraries available.
http://sourceforge.net/projects/odyssipki/
As Daniel pointed out, SPKAC is not broadly supported (even by CAs), it would be better if viable for your case to use PKCS10 in all browsers.
Here is an example doing that - https://github.com/PeculiarVentures/csrhelp
I'm building a REST API and using oAuth for authorization. My question is do I need to do anything about the body of the request in the case of PUT and POST requests that contain data? I'm using SSL if that makes any difference.
It seems to me that the url is verified by the oAuth signature, but the contents of the body could be anything. I'm not sure if that's a problem, though, because if the URL is correctly signed then they have provided the correct credentials to do an insert or update. I am using nonce to prevent replay attacks as well, but I want to avoid creating a security issue due to misunderstanding how to treat the request body.
Thanks for any suggestions.
I found an answer looking through some OAuth libraries. It's not officially part of the spec but some services and libraries use "xoauth_body_signature" and "xoauth_body_signature_method" in the request headers to send a signature of the body contents.
Apparently there's some challenges implementing and discussions can be found by googling for xoauth_body_signature. It doesn't seem like a lot of people are doing it.