I have my YAP's canvas URL pointing to a servlet that authenticates a Yahoo player for my game, logs them in and then loads the game in the canvas. This all works great, but I'm having problems validating the oauth_signature that is passed in with all the other parameters. For reference, I'm getting the following parameters in the call to my canvas URL:
yap_viewer_access_token_secret=2e622621e88d6632c639bd21e493dee60ac068b0
yap_viewer_guid=KMUM6EAPTEOLLD7PIWS642ILL4
yap_jurisdiction=US
oauth_signature=xUWXX6QoB9xNvgVSUf0KUfONU5w=
oauth_nonce=7636871911099914700
yap_time=1312492869
yap_owner_guid=KMUM6EAPTEOLLD7PIWS642ILL4
yap_viewer_access_token=A=aScCR3KbvxnDcX7TexnT8i8p_xK3C2qHv5yu8ehHm5SsYB24I2QUStKXDnN6q5Ri8.l3YtxcDbEN66CfHVu.dw7t6c0.qOAu2S2vmQvwNrA0m0GpwRsUHYsHARWQjxNZVhbeskwzPwuQZ8OLQBdlMfW5HI
gl6rGt0_xgavs6_hrl0QY4484ORz3OL6WrwQZ043su8mOGKiOGdtpvF1dD3XOHuvb838_ZP5rk6aaqgxv5lppyUJ9CuC9g3YxvN1iCH5E2oQPTTybFMkU4oUXac55IAt7_7PjM5Q3eyKHDqwx_thOlUi3.Jf0KxhsXr9sHOi3OMUCpJ13pLnFO7L_G1255OzWdeS_UzRY
o6cXdvFhh54ZRRLjAx.vvg9cInlRzLHDcXevQbuSjOBHMi373t39JnoKVnBT0hTdfhfCl.I.i7QIAxu4HlA4kesto5ctbToPEP7BnIMNNBLernykr.AxB4KTMduC80lPtHWWD2prfK7tL3dBe1R63FqH0AFgbV5CPwIoFWJruRVWXQMmTgY_5ffXfL5RFHKzoucadJgO9
F4qk7E_.M7dw3hOEm0aHcXQCB6sChLqC0MgehmhAdZw8qNIwPG3gmGUbcC7vd11F3RgpNcAIoJfOta3e3Q6awYWk1IaZqs3LOQapXG2klEiT9oUz8eKtPJg2m3MOyv8u0BbaNF_yEBeyuQsagP5KPk94.t0YH7dXFecOOI0DbDuFZZfeumcPaND2HPwxaGCZIQWeYlA61
Hl9zyV1wo60aVbgOvKZF3YubL3fYnQlItGHFnnEGhENIqEhekRXEaJZedMbBygCyyxv6iZSClryFtZKaM9lJJURupc8DtsqzBdX5.qn
yap_view=canvas
yap_dropzone_id=853760
yap_appid=j8P8Ih3c
oauth_signature_method=HMAC-SHA1
yap_consumer_key=dj0yJmk9NTdUaURVZlhLa3h3JmQ9WVdrOWFqaFFPRWxvTTJNbWNHbzlNVGsxTkRrd05EYzJNZy0tJnM9Y29uc3VtZXJzZWNyZXQmeD1kMA--
env=yap
oauth_timestamp=1312492869
yap_tz=America/Los_Angeles
oauth_version=1.0
oauth_consumer_key=dj0yJmk9NTdUaURVZlhLa3h3JmQ9WVdrOWFqaFFPRWxvTTJNbWNHbzlNVGsxTkRrd05EYzJNZy0tJnM9Y29uc3VtZXJzZWNyZXQmeD1kMA--
According to the documentation
here and
here, the signature should be generated by normalizing the request, then hashing that string, signed with my consumer secret and the token secret concatenated with an ampersand. Here's what I'm passing to my HMAC-SHA1 method (which is tested and works with other OAuth applications):
text:
POST&http%3A%2F%2Fbluetongue.homeip.net%3A8080%2Fv%2FyahooAuthenticate&oauth_consumer_key%3Ddj0yJmk9NTdUaURVZlhLa3h3JmQ9WVdrOWFqaFFPRWxvTTJNbWNHbzlNVGsxTkRrd05EYzJNZy0tJnM9Y29uc3VtZXJzZWNyZXQmeD1kMA--%26oauth_nonce%3D7636871911099914700%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1312492869%26oauth_version%3D1.0%26yap_appid%3Dj8P8Ih3c%26yap_consumer_key%3Ddj0yJmk9NTdUaURVZlhLa3h3JmQ9WVdrOWFqaFFPRWxvTTJNbWNHbzlNVGsxTkRrd05EYzJNZy0tJnM9Y29uc3VtZXJzZWNyZXQmeD1kMA--%26yap_dropzone_id%3D853760%26yap_jurisdiction%3DUS%26yap_owner_guid%3DKMUM6EAPTEOLLD7PIWS642ILL4%26yap_time%3D1312492869%26yap_tz%3DAmerica%252FLos_Angeles%26yap_view%3Dcanvas%26yap_viewer_access_token%3DA%253DaScCR3KbvxnDcX7TexnT8i8p_xK3C2qHv5yu8ehHm5SsYB24I2QUStKXDnN6q5Ri8.l3YtxcDbEN66CfHVu.dw7t6c0.qOAu2S2vmQvwNrA0m0GpwRsUHYsHARWQjxNZVhbeskwzPwuQZ8OLQBdlMfW5HIgl6rGt0_xgavs6_hrl0QY4484ORz3OL6WrwQZ043su8mOGKiOGdtpvF1dD3XOHuvb838_ZP5rk6aaqgxv5lppyUJ9CuC9g3YxvN1iCH5E2oQPTTybFMkU4oUXac55IAt7_7PjM5Q3eyKHDqwx_thOlUi3.Jf0KxhsXr9sHOi3OMUCpJ13pLnFO7L_G1255OzWdeS_UzRYo6cXdvFhh54ZRRLjAx.vvg9cInlRzLHDcXevQbuSjOBHMi373t39JnoKVnBT0hTdfhfCl.I.i7QIAxu4HlA4kesto5ctbToPEP7BnIMNNBLernykr.AxB4KTMduC80lPtHWWD2prfK7tL3dBe1R63FqH0AFgbV5CPwIoFWJruRVWXQMmTgY_5ffXfL5RFHKzoucadJgO9F4qk7E_.M7dw3hOEm0aHcXQCB6sChLqC0MgehmhAdZw8qNIwPG3gmGUbcC7vd11F3RgpNcAIoJfOta3e3Q6awYWk1IaZqs3LOQapXG2klEiT9oUz8eKtPJg2m3MOyv8u0BbaNF_yEBeyuQsagP5KPk94.t0YH7dXFecOOI0DbDuFZZfeumcPaND2HPwxaGCZIQWeYlA61Hl9zyV1wo60aVbgOvKZF3YubL3fYnQlItGHFnnEGhENIqEhekRXEaJZedMbBygCyyxv6iZSClryFtZKaM9lJJURupc8DtsqzBdX5.qn%26yap_viewer_access_token_secret%3D2e622621e88d6632c639bd21e493dee60ac068b0%26yap_viewer_guid%3DKMUM6EAPTEOLLD7PIWS642ILL4
I'm calculating the key correctly (including capitalizing the alpha characters), but the signature I get is different to the signature sent in with the request to the canvas URL.
oauth_signature:
0ejLMvn9sJ3XkBjq5ec/8n2LIfQ=my calculated signature:
tjTh2pk0W0ai7TJCoP/XwvexrCM=
I don't see my error, the base string for the signature calculation looks correct to me.
My canvas URL is the following: http://bluetongue.homeip.net:8080/v/yahooAuthenticate?env=yap. I've tried including the "env=yap" parameter both in the URL portion of the baseString, and as one of the parameters, as well as leaving it out entirely, however none of these work. I also have my suspicions that the inclusion of the non-standard HTTP port might be causing the issue.
Is there any way to see exactly how the oauth_token is being calculated on Yahoo's side when the call to my canvas URL is made?
