OAuth request_token method not redirecting on success

[griessp]

Hi,

I'm attempting to initiate the OAuth dance by making a GET call to the request_token endpoint, https://api.login.yahoo.com/oauth/v2/get_request_token. I've included all of the relevant parameters in the GET query string. Unfortunately, the call results in a 200 rather than doing something to prompt me for authorization. I get the same behavior regardless of my logged-in / logged-out of Yahoo state. Interestingly, the 200 response comes back with query parameters which would otherwise end up appended to the callback URL are dumped in the response body.

Does anybody have any idea what's going on here? If I screw up the parameters in other interesting ways, I get a 401 rather than a 200, so it seems that my request is constructed correctly, but for some reason the OAuth server isn't behaving as I'm expecting.

Check it out:

GET /oauth/v2/get_request_token?oauth_nonce=28042247&oauth_timestamp=1259077288&oauth_consumer_key=dj0yJmk9eTVoMnNFbHBlbVQ0JmQ9WVdrOVkzcEtNR3QwTXpnbWNHbzlOa
kkxTXprd05qZzEmcz1jb25zdW1lcnNlY3JldCZ4PWQ1&oauth_signature_method=HMAC-SHA1&oauth_version=1.0&oauth_signature=Ii%2FTgDG%2F65G2NmH0gixmUObUMck%3D&xoauth_lang_pref=en-us&oauth_callback=http%3A%2F%2Fwww.yttrium.ws%2F HTTP/1.1
Host: api.login.yahoo.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.5) Gecko/20091102 YFF35 Firefox/3.5.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

HTTP/1.1 200 OK
Date: Tue, 24 Nov 2009 15:41:29 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain; charset=utf-8

oauth_token=eyxt4jr&oauth_token_secret=4edc80f935dd2cf4f1ad57db1200ba8f1e8f62d3&oauth_expires_in=3600&xoauth_request_auth_url=https%3A%2F%2Fapi.login.yahoo.com%2Foauth%2Fv2%2Frequest_auth%3Foauth_token%3Deyxt4jr&oauth_callback_confirmed=true

Thanks,
Peter

[Dustin Whittle]

Hi,

I'm attempting to initiate the OAuth dance by making a GET call to the request_token endpoint, https://api.login.yahoo.com/oauth/v2/get_request_token. I've included all of the relevant parameters in the GET query string. Unfortunately, the call results in a 200 rather than doing something to prompt me for authorization. I get the same behavior regardless of my logged-in / logged-out of Yahoo state. Interestingly, the 200 response comes back with query parameters which would otherwise end up appended to the callback URL are dumped in the response body.

Does anybody have any idea what's going on here? If I screw up the parameters in other interesting ways, I get a 401 rather than a 200, so it seems that my request is constructed correctly, but for some reason the OAuth server isn't behaving as I'm expecting.

Check it out:

GET /oauth/v2/get_request_token?oauth_nonce=28042247&oauth_timestamp=1259077288&oauth_consumer_key=dj0yJmk9eTVoMnNFbHBlbVQ0JmQ9WVdrOVkzcEtNR3QwTXpnbWNHbzlOa
kkxTXprd05qZzEmcz1jb25zdW1lcnNlY3JldCZ4PWQ1&oauth_signature_method=HMAC-SHA1&oauth_version=1.0&oauth_signature=Ii%2FTgDG%2F65G2NmH0gixmUObUMck%3D&xoauth_lang_pref=en-us&oauth_callback=http%3A%2F%2Fwww.yttrium.ws%2F HTTP/1.1
Host: api.login.yahoo.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.5) Gecko/20091102 YFF35 Firefox/3.5.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

HTTP/1.1 200 OK
Date: Tue, 24 Nov 2009 15:41:29 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain; charset=utf-8

oauth_token=eyxt4jr&oauth_token_secret=4edc80f935dd2cf4f1ad57db1200ba8f1e8f62d3&oauth_expires_in=3600&xoauth_request_auth_url=https%3A%2F%2Fapi.login.yahoo.com%2Foauth%2Fv2%2Frequest_auth%3Foauth_token%3Deyxt4jr&oauth_callback_confirmed=true

Thanks,
Peter

Peter,

This is a valid oauth request token response. The browser is not automatically redirected, you should use the xoauth_request_auth_url request parameter to redirect the user to the authorization page. See more information in the oauth guide: http://developer.yahoo.com/oauth/guide/