[annotator-dev] x-annotator-auth-token

Randall Leeds tilgovi at hypothes.is
Tue Mar 25 21:01:57 UTC 2014


I still can't see anything wrong with this.

Maybe you could create a token with a throwaway secret and send it to me,
along with the secret.
I'll try to decode and validate it using the python code
annotateit.orguses and see if anything pops out.

Or, if you're comfortable with python, you can check it out yourself:
https://github.com/okfn/annotator-store
The token verification looks like:

```python

from annotator.auth import decode_token

decode_token(token, secret, ttl=86400, verify=True)
```

You can also pass verify=False to be sure it parses, even if the signature
and expiry are wrong. Or pass a different TTL value to ensure a particular
TTL is enforced.

That should give you a message about why the token might be wrong, if it is.


On Fri, Mar 21, 2014 at 10:01 AM, Andrew MacDonald <
andrew_james_macdonald at yahoo.com> wrote:

> Initially I did see that warning, which stopped appearing after I included
> all the required fields in the token payload.
>
> Sometimes when I load up my app, Annotator will only make one call to get
> the token, other times it will make hundreds of token calls in the span of
> a few seconds, so something is obviously wrong there. However, even when
> that happens, I'm not seeing any warnings in the console.
>
>
>   On Friday, March 21, 2014 12:56 AM, Randall Leeds <tilgovi at hypothes.is>
> wrote:
>  Do you see a warning in your script console, "Didn't get a valid token"?
> Or if you see the Annotator making requests to your token URL every ten
> seconds, then it means the application isn't receiving it correctly.
> I cannot see what is wrong with your code, if anything.
>
>
> On Thu, Mar 20, 2014 at 2:18 PM, Andrew MacDonald <
> andrew_james_macdonald at yahoo.com> wrote:
>
> I wouldn't be surprised if that were the case.
>
> Here's the code:
> 1) The relevant code from my HttpServlet: http://pastebin.com/bgEWbKhE
> 2) The JWTUtils code: http://pastebin.com/ryEQtLB0
>
> Andrew
>
>
>   On Thursday, March 20, 2014 5:04 PM, Randall Leeds <tilgovi at hypothes.is>
> wrote:
>  Then it certainly seems like the token code might not be quite right.
>
> Can you share the code you're using to generate the token?
>
>
> On Thu, Mar 20, 2014 at 11:22 AM, Andrew MacDonald <
> andrew_james_macdonald at yahoo.com> wrote:
>
> Thanks for the quick reply.
>
> 1) I'm using v.1.2.7
>
> 2) I would assume so. This is the extent of my Annotator configuration:
> $('#'+containerId).annotator().annotator('setupPlugins', {
>     tokenUrl: 'http://localhost:8080/base/token'
> });
>
> 3) I think so. For the token payload:
> consumerKey = my consumer key on annotateit.org
> userId = my user name on annotateit.org
>
> When I construct the actual token with JsonToken, I first have to
> construct the signer using HmacSHA256Signer (
> https://code.google.com/p/jsontoken/source/browse/trunk/src/main/java/net/oauth/jsontoken/crypto/HmacSHA256Signer.java).
> I pass it the following:
> issuer = same as userId above
> keyId = same as consumerKey above
> keyBytes = the bytes from my consumer secret
>
>
>   On Thursday, March 20, 2014 1:56 PM, Randall Leeds <tilgovi at hypothes.is>
> wrote:
>   Some questions
>
> - What version of Annotator?
>  - Are you using the default Store plugin in both cases?
>  - Just to be sure, are you using your credentials from your user page on
> annotateit.org to generate your token?
>
>
> On Thu, Mar 20, 2014 at 8:57 AM, Andrew MacDonald <
> andrew_james_macdonald at yahoo.com> wrote:
>
>  Hello dev team,
>
> I'm having trouble getting my local authentication working with the
> AnnotateIt store.
>
> So far, I have produced a local authentication token endpoint, using the
> JsonToken Java library. This seems to work, as the Annotator plugin calls
> my endpoint and it returns a token (and the Annotator doesn't throw any
> "couldn't get auth token" errors). However, when I try to store an
> annotation on AnnotateIt I get a 401 unauthorized response. When I use the
> http://annotateit.org/api/token endpoint for authorization, everything
> works as expected. Comparing the headers between the two approaches, I
> notice that when using my local authentication, subsequent calls to
> AnnotateIt don't include the x-annotator-auth-token request header, which I
> assume is why I'm getting the unauthorized response.
>
> Any idea what I'm doing wrong? If you require more details please let me
> know.
>
> Thanks,
> Andrew
>
> _______________________________________________
> annotator-dev mailing list
> annotator-dev at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/annotator-dev
> Unsubscribe: https://lists.okfn.org/mailman/options/annotator-dev
>
>
>
>
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/annotator-dev/attachments/20140325/a0e5cc49/attachment-0004.html>


More information about the annotator-dev mailing list