Goodreads Developers discussion
questions
>
redirect_uri
date
newest »
newest »
you should be able to set the oauth_callback parameter when you make your initial call to /oauth/request_token . if a callback isn't specified there, the one setup in your api key is used (this is what it sounds like the wordpress plugin is referencing).
Jon wrote: "you should be able to set the oauth_callback parameter when you make your initial call to /oauth/request_token . if a callback isn't specified there, the one setup in your api key is used (this is ..."I've not been able to get that to work. Unless I specify a callback in my settings on Goodreads, my callback doesn't get executed. As far as I can tell, I'm specifying a callback URL correctly when requesting a token, but it seems to just be ignored.
I'd rather specify it during the request than in my settings. Having to configure it in settings sure makes it hard to test from my dev machine (different URL).
ah, i mistyped above, you specify the oauth_callback to /oauth/authorize, not /oauth/request_token:https://www.goodreads.com/api/documen...
sorry about that.
Thank you Jon! That seems to be working now. The callback I specify when calling /authorize is called as you mentioned. Great! That will make debugging and testing much easier.FYI: I was basing my code on the flow described in the oauth spec, which seems to indicate that the oauth_callback is specified when asking for the request_token:
http://tools.ietf.org/html/rfc5849#se...
Thanks again!
I'm attempting to auth with Goodreads, and I seem to be hitting a problem with a oauth_callback which contains a querystring. It looks like Goodreads just appends the oauth_token and authorize parameters onto the end, and uses a '?' character to put them there. The problem with that is that if the callback already has a ? in it (e.g. contains querystring parameters) then you now have an invalid URI.In my case, the redirect URI looks something like this:
http://host/wp-admin/tools.php?page=k...
And then once the user has authorized, they are returned to something like:
http://host/wp-admin/tools.php?page=k...
So the 'state' parameter ends up being extracted as
12345?oauth_token=YweC1u2TMcbxj376SBHpmA
Which is clearly not correct :)
I think Goodreads needs to look at the callback URI before appending the oauth_token, and if there's a ? in it already, then use & to append those details, otherwise use the ?.
Hey,Another developer recently encountered this:
https://www.goodreads.com/topic/show/...
We've got a ticket on our end, but it might be a while before we can get to it.
I don't think that you want to be passing the nonces in clear text like you're doing however, can they not be stored in the user's session?
The nonces are fine, they're relatively short-lived, and are only there to prevent replay attacks and CSRF. I'm not too concerned about them being exposed really.And yes, looking over that thread, it appears to be a problem. That's a pity if you're not able to fix it, as it prevents people from being able to implement your API in a lot of situations.
In my case, I can't put a hack in the way the other user has done it, because the core OAuth implementation is handled by a separate middleware library, which expects URLs/parameters to be passed around correctly.
I'll keep an eye out to see when this is fixed, thanks.
This one is also making my Goodreads integration a bit tricky. As Beau mentions, anyone using a separate OAuth library may not be able to easily use the workaround in the other thread.
You mention there's a ticket for this - do you have an idea of timescale for it to be resolved?
Thanks,
Chris
Hey Chris and Beau, the ticket hasn't been fixed yet, and unfortunately i don't have a ETA yet. I linked the ticket (ios-2431, for reference) to this forum post, so once it's fixed this thread will be updated.
Thanks for keeping us posted Ettore.Just in case it helps when resolving the issue, I've found that the current behaviour is slightly different depending upon whether a user is logged in when they reach Goodreads during the OAuth flow.
If the user is not logged in, the query string is returned as Beau describes above (with two question marks, but pretty much intact).
If they're not logged in and they perform a login as part of the process, we lose nearly all of the query string. Only the first query string parameter is returned from our original oauth_callback.
Dumb question: I'm trying to use the Goodreads API to authenticate the user and then return then back to the originating URL.
Is this possible? redirect_uri would normally be used for this, but that doesn't seem to work.
The WordPress plugin at http://wordpress.org/plugins/wordpres... actually asks the user to hard-code the return URL into the API settings in GoodReads. Which seems a bit cack-handed, if you ask me.
Regards,
Andy
Regards,
Andy