+ Start a Discussion
ShinShin 

OAuth Remote Access

Folks, I found that OAuth feature (Remote Access) is now available for all orgs at last, but I'm doubting there's a fatal defect.

 

When reading help page of Remote Access feature (https://na7.salesforce.com/help/doc/en/remoteaccess_authenticate.htm) and referring OAuth core 1.0A spec (http://oauth.net/core/1.0a), I found current salesforce's behaviour is not fullfilling the specification.

 

In the help page it is described that it requires oauth_consumer_key parameter in Authorization redirect phase (see "Authorizing the User" section), but the 1.0A spec is not (see 6.2.1). It is not only a documentation bug, but it actually raises error when no oauth_consumer_key is passed. 

 

I'm not sure why salesforce requires consumer key other than oauth_token. Consumer key is considered not to be exposed to the users, so not used as a parameter during the user redirection.

 

I'm writing code that connects to salesforce using OAuth library on python, but not successful mainly because this spec violation.


 
jongleejonglee

 It's our impl requires consumer key, I will look into if we can make it optional.  But regarding to 1.0.a spec.  Strictly speaking, we can require oauth_consumer_key since 6.2.1 does say "Additional parameters" may be required by Service Provider.

 

6.2.1.  Consumer Directs the User to the Service Provider

In order for the Consumer to be able to exchange the Request Token for an Access Token, the Consumer MUST obtain approval from the User by directing the User to the Service Provider. The Consumer constructs an HTTP GET request to the Service Provider's User Authorization URL with the following parameter:

oauth_token:
OPTIONAL. The Request Token obtained in the previous step. The Service Provider MAY declare this parameter as REQUIRED, or accept requests to the User Authorization URL without it, in which case it will prompt the User to enter it manually.
Additional parameters:
Any additional parameters, as defined by the Service Provider.

 Jong Lee

Salesforce.com

ShinShin

"Additional parameters", in my opinion, is not supposing "oauth_" prefixed parameters defined in the OAuth spec. It is intended to be much more application-related parameters.

 

I think oauth_token is enough to specify the consumer, because the consumer key information is already passed to SP in preceding "Request Token" phase, and should be linked and kept in SP's memory/database.

 

piusveltepiusvelte

I'm running into this issue as well. I've appended the oauth_consumer_key parameter and value to the authorization url and it's still returning that error message about missing the consumer key.

Rose Sage BaroneRose Sage Barone

I'm having the same problem.  I get the "Required parameter "oauth_consumer_key" not defined. " error; however, I AM signed onto my Salesforce sandbox on my mobile app.   I see the WEB app styled pages and can click around to my heart's content.  Then, if I close the mobile app and open it again, I get the OAuth approve/deny screen and then I am positioned at the mobile app styled pages.  So, I get signed on.  I just don't end up where I should.