Could not verify Pre-approved Request Token (OpenID) sent from Yahoo

MakeitQ22 Nov 2011 5:51 AM

Hello,
I'm trying to use Yahoo samples in getting to use OpenID according to the sample at http://developer.yahoo.com/oauth/guide/request-token.html

After the user authorizes the access, the redirect to my site occurs, but i'm not able to successfully verify the HMAC-SHA1 signature made by Yahoo.
i have reviewed the specs and the sample source code that is out there, but I cannot verify the exact values of signaturebase and hmac keys that yahoo servers are making.
I tried to "guess" the signature base and key format and also conformed to the principals at http://developer.yahoo.com/oauth/guide/oauth-signing.html  but with no luck.

since every byte counts and can make a completely different HMAC-SHA1 signature i wonder if there is some sort of a test vector scenario that will explain to me how yahoo builds their signature on the data (starting by deriving the right HMAC-SHA1 keys from consumerSecret and then detailing the signature base)

Help appreciated
Reply
Blanca Silva11 Feb 2012 2:33 AM
Editing Tools
Reply
Stéphane Popoff25 Feb 2012 1:09 AM
Hi,<br><br>I report something similar but in the other direction &quot;exchange pre-approve token for an access token&quot;, i can&#39;t generate the right signature for yahoo, did you find a solution ?<br><br><br>Hi,<br><br>I have an error report by yahoo when i want to exchange my pre approved request token to a new access token. Yahoo said the signature is invalid. How can i debug this problem ? (I know the signature process work well with pure OAuth style access)<br><br>Any help welcome.<br><br>Stéphane
Reply
Cou Sin3 Apr 2012 1:27 AM
did you tried to concatenate these 2 string with &quot;&&quot; ?<br><br>the consumer secret + token secret<br>and from these 2 string, when you do concatenate with &quot;&&quot; will be<br><br><strong>your consumer secret + &quot;%26&quot; + token secret</strong><br><br>The consumer secret key, you will get when you register a new application, and the token secret you have to get from the request token method<br><br>if you use the oauth method, you have to get this token secret, or if you use the openid method the token secret is absent, and you don&#39;t have to send it, just:<br><br><strong>your consumer secret + &quot;%26&quot;</strong>
Reply