0

OAuth oauth_problem="signature_invalid" when executing YQL requests with Scribe

HI,

I am having trouble executing YQL requests using scribe java library. not sure what I am doing wrong but the system doesn't seem to like my request. I am able to do get the user authorization and do get authdata back in the form X&Y&Z and I use X as access token and Y as token secret to formulate requests using scribe java API. please find attached the HTTP request and response, any help would be appreciated.


Thanks,

Z

Request:

GET /v1/yql?q=select+*+from+fantasysports.leagues+where+league_key%3D%27249.l.37334%27 HTTP/1.1
Authorization: OAuth oauth_consumer_key="dj0yJmk9bG9a…….meD0wOA--", oauth_nonce="2d48c42c15614972e99f87bc05d8031e", oauth_signature="48LsFPOtWBmFQGBH%2BS1xxNfhUWw%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1286314620", oauth_token="A%3DGOuiGX3juBHErfO2ovdbwEaWil1KI6Tq28g0LXtbf9_ONf.a8bV1.UT6YLORc5p3roQ9EFeotR6b4l
t9a7pqHiioQsAby8UyEK5tg4U5TzoJEnPjHyOq7JdV764hFN.Sm2ryb86DxcO6FnHJjPQPKF8NdK8XoFS
Kp5PAm6LvTT1Cqup36aGjpzYo585N3RVRSPkrLIqAjQ.mhVf7mzTpFcIhX0ll.kxSWpDm8Uj6sSfYr3u5
vLntGiR27wxQnS2dz9Mry0aIN9OJANVzTbdVC98wcatLq.JZDVyw9HAiOhc1C8D6qKfn1y8OYZqEK3nCE
JmhO0XrV7Ly.d_UUKHk1g0HU1I25o5Wy6LFUS3Fl21z8bu6fJ1fIrIEC7ABVPktBlpTf1WFl4ryFDt24C
SQMNh_nOQnh3rC6dRhN25VIuUnWeis7ytfW1O5hXN5ZipcfnU6sCT4Pjyov0wg4Y24u7QQ.2.q_7kPvSt
EPONQKGn_Ny5YL0hLx.oENUJFiq.IyjiE29kHVMs6VioIFMECxN3WMIIuLaZ.9VtMAfqUHdLtodJ88nc4
zxTxyjV9kiAMykXVslnqyfw.8VCLb_MKJWPuV_Ii6.FcKolRa52Gm1hcIl4SYiT2OayGaUvkX33DgK2.9
wFogP3VR41xarN5SusvRaO32WoTfkJsaDRxmglz4K6txtn0k_F6", oauth_version="1.0", realm="yahooapis.com"
User-Agent: Java/1.6.0_21
Host: query.yahooapis.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

Response:

HTTP/1.1 401 Authorization Required
Date: Tue, 05 Oct 2010 21:37:01 GMT
WWW-Authenticate: OAuth oauth_problem="signature_invalid", realm="yahooapis.com"
Content-Type: application/xml
Cache-Control: private
Age: 0
Transfer-Encoding: chunked
Connection: keep-alive
Server: YTS/1.17.21

16a
<?xml version='1.0' encoding='UTF-8'?>
<yahoo:error xmlns:yahoo='http://yahooapis.com/v1/base.rng'
xml:lang='en-US'>
<yahoo:description>Please provide valid credentials. OAuth oauth_problem="signature_invalid", realm="yahooapis.com"</yahoo:description>
</yahoo:error>
<!-- yqlengine1.pipes.mud.yahoo.com uncompressed/chunked Tue Oct 5 14:37:01 PDT 2010 -->

0

by
8 Replies
  • Hrm. That conceptually seems okay. Could you provide any sample code for how you're generating the base string for the signature? The only gotchas that I remember had to do mostly with what values were URL encoded and what order you presented the arguments in.
    0
  • First time poster here...

    I seem to be having a similar problem. I am able to get a token, token secret and the other applicable values (session handle, GUID, etc.) through PLAINTEXT. Once I try to make an API call (which to my understanding is required to be signed using HMAC-SHA1), I am always getting a 401 - Unauthorized response.

    I have read in a few posts that the order of the parameters and which ones are URL encoded is important, but I can't find out what this should be. Does anyone know for sure?

    For reference, here is the request normalized:
    CODE
    GET&http%3a%2f%2ffantasysports.yahooapis.com%2ffantasy%2fv2%2fteam%2f248.l.18532.t.1%2froster
    &oauth_consumer_key%3ddj0yJmk9NjJTSFBuWjZRbW5SJmQ9WVdrOVdWbENSMDUxTmpRbWNHbzlNQS0tJnM9Y29uc3VtZXJzZW
    NyZXQmeD0xNA--
    %26oauth_nonce%3d3998591%26oauth_signature_method%3dHMAC-SHA1%26oauth_timestamp%3d1288020099
    %26oauth_token%3dA%3dNwZqpJf_uAXfzheug.qm2t.gR4pzmwPSVfGFVhUqdYyaSx9LLxqGlsfm7xslyOqx0toqyu5xPAM3h9
    hFK1yFhT9pL_2ZNkMAsH_pRfRrgznU3E6Rmb1CotmqP5lzk0YGqeZiKuyBHUSUXv1muPXFrBp2shlZpU4
    75nyAR9Cy.cqsfv_71sVKBPT7UT8Hv0OcQrsjYQeMhR94Zo2v9HBmdRi28P9O4.kgG.HSfguiwqIiKmMt
    6JMivFIhSGBqna17sWwnPpkUZLV_e8mqDJJroaD3iGX0KcXVrBEMC6GvDVqpgtbf4cFMY92BdKiMLADB2
    OXnr0XbTMiiENp.wfTu9Yy7EkaxVKX60Rilg97ZFDWyGPC1uFUpLHtVI7kDlgzg_c_Pqupc70pycWK4Fn
    nT3Z1v874kjl5M6rx1Fgo0.rRD6oGmNf__aIQG65QbBEkPVoEw9PlGRGghWh8optAwRQ1stmQcxJLbcFl
    LEbDDu_bmskQ_4RVgMnDm9Xk7rEfCCnrbvAGpdtrn.lU_5DKbWZeDc09Ih3QtdCaE_Z_spUWpGiGsZgtb
    FTte9K78_Vc1ijWmNZIusX_XXXGOhFMvy4V1M51Oqg7uRyziBhFsYZvs5u8JzW5h3u_Xz0beMUW2l.VbH
    LPnBArCZ7TlXrnSB9pjcKffyCLIe4n0aGDPsXvmYH6PUZqOCWjmuzw0ih8jFICkmeHep9SGro5i8hnwHU
    9y.ASx6L5Tx4k-%26oauth_version%3d1.0


    And here is the URL I am calling once the signature is produce from the previous normalized URL:
    CODE
    http://fantasysports.yahooapis.com/fantasy/v2/team/248.l.18532.t.1/roster?
    oauth_consumer_key=dj0yJmk9NjJTSFBuWjZRbW5SJmQ9WVdrOVdWbENSMDUxTmpRbWNHbzlNQS0tJ
    nM9Y29uc3VtZXJzZWNyZXQmeD0xNA--&oauth_nonce=4327908&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1288020606&oauth_token=A=Jnasb4fgjz1NAnK9TD047Mr_IMEjUiVrB42UsZFvCeYCwa53vbgHSZzLvO3bOr
    N5GX1sTjHzjGK4JE_XtCoJJsRMKq80OiFybJynzJTQLlKfK8h73JMmZmYeoBEpOUMeZwIVRdsekH2Xhf9
    k8mDEFUeJjozaetsCNc_Pf_vq4QmM_Nskh_bWlMgReT.UQPomWzGlji54wnqqBX7IYipLG0IGx8L.m9og
    IXRCr2J4CyZte2lrElldwLIIVNLY0evLNzakFr2C249EytXEdsi0Qpnz3zEjyQ8nFM3fd1M0ALj8E8M_w
    nQVOiltps5x0rUeTuzUABJMcUGwaJICWUpyLzWcvd5M8ksFv5e6f9oE2pVGEu7m0UelGr6urXNBfeRp.V
    LRSwcrylS_LCbhl56yDPSXJVuhby4dEe52QbpDGd6urDJtShzuxvmxWxjjVGq8yz7RciVOIpQhgqQ.zPV
    LIPodXf2XQJDXWnGdN7IPZS36viShLuSXqFbU0H067bIJQBYC49jMNrPWcAny8n_B6JG525k8oz2zNy.y
    dBtys9cqPpjByTqlCIqXoSCt6SZwKY1SBJROZKfSzT3bo3ccAYk8phs.eHMo88QIuwmLnFkHM_MNXZNvp
    y1rvJckPolyPCz_7YVXTUzW.by.N97ASHhf1x4dyEekHAKMzTsKUY3jXYwE_2MxdIY1o9PibbYkzljQAI
    Jt5hvINxyKHkgMShjwm8MUqzKW0PM-&oauth_version=1.0&oauth_signature=fwucIwhiatKkopV1pSO%2fKirqYlk%3d


    You may notice that in the normalized URL, the token is URL encoded while in the signed call, it is not. I've tried both ways and was still unsuccessful. I hope I'm missing something simple since I'm new to OAuth, but I've tried a number of different things and have had no luck.

    Thanks to anyone who can be of assistance.
    0
  • Yup, again, things generally look good with your setup, too, Steve. Maybe easiest would just be for me to post the code that I have that seems to generally work. This is in PHP and was for POST-ing.

    CODE
    $oauth_consumer_key = $consumer_key;
    $oauth_nonce = rand( 0, 100000 );
    $oauth_signature_method = 'HMAC-SHA1';
    $oauth_timestamp = time();
    $oauth_version = "1.0";
    $oauth_token = $response['oauth_token'];

    $method = 'POST';
    $params = '';
    $params .= 'oauth_consumer_key=' . urlencode($oauth_consumer_key);
    $params .= '&oauth_nonce=' . urlencode($oauth_nonce);
    $params .= '&oauth_signature_method=' . urlencode($oauth_signature_method);
    $params .= '&oauth_timestamp=' . urlencode($oauth_timestamp);
    $params .= '&oauth_token=' . urlencode( $oauth_token );
    $params .= '&oauth_version=' . urlencode($oauth_version);

    $base_string = urlencode( $method ) . '&' . urlencode( $url ) . '&' .
    urlencode( $params );

    print 'Base string: ' . $base_string . "\n";
    $secret = urlencode( $consumer_secret ) . '&' . urlencode( $response['oauth_token_secret'] );
    $signature = base64_encode( hash_hmac( 'sha1', $base_string, $secret, true ) );

    print 'Signature: ' . $signature . "\n";

    $test_url = $url . '?' . $params . '&oauth_signature=' . urlencode( $signature );

    print 'Test URL: ' . $test_url . "\n";

    $postdata = '<test>test</test>';

    $ch = curl_init();
    curl_setopt( $ch, CURLOPT_HTTPHEADER, array( 'Content-type: application/xml' ) );
    curl_setopt( $ch, CURLOPT_POST, 1 );
    curl_setopt( $ch, CURLOPT_POSTFIELDS, $postdata );
    curl_setopt( $ch, CURLOPT_URL, $test_url );
    curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );

    $ycw_result = curl_exec( $ch );
    $ret_code = curl_getinfo( $ch, CURLINFO_HTTP_CODE );

    curl_close( $ch );

    print_r( $ycw_result );
    print 'Return code: ' . $ret_code . "\n";


    Going over the steps, it's basically:

    a) Formulate your oauth params, basically urlencoding all values.
    B)Does that work for you?
    0
  • Oh and I also want to note that I realize the Nonce keys are different in those two examples. I copied and pasted the strings from two different runs of tests.
    0
  • Thanks again, Sean.

    I took your inputs and saw that our signatures were different. After going through what seemed like each character of the values, I noticed that I was setting the base string with lower case values for the encoded chars ("%3d", "&2f", etc) where you had upper case values ("%3D", "%2F", etc). After seeing that and fixing the code, I finally got the same signature.

    I made a call to my football league URL and hockey URL got back the expected XML. Sweet.

    Thanks for all your help.
    0
  • i am also getting same error oauth_problem=signature_invalid in query string.

    and

    header format error

    Please provide valid credentials. OAuth oauth_problem="unable_to_determine_oauth_type", realm="yahooapis.com"



    any one please help me
    0
  • where to get oauth_consumer_key?

    -1
  • get_access_token_yahoo() function give the following error

    Array ( [0] => Array ( [url] => https://api.login.yahoo.com/oauth/v2/get_token?oauth_consumer_key=dj0yJmk9U0R3THE3djlNTFJhJmQ9WVdrOWFXSkliVXc0Tm1VbWNHbzlNQS0tJnM9Y29uc3VtZXJzZWNyZXQmeD1kMA--&oauth_nonce=82034603&oauth_signature=Shr%2BLzThvuf7oOCQEmRy4I4VCUA%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1394453120&oauth_token=hp3rzu8&oauth_verifier=qmnxbs&oauth_version=1.0 [content_type] => application/x- [http_code] => 401 [header_size] => 453 [request_size] => 740 [filetime] => -1 [ssl_verify_result] => 0 [redirect_count] => 0 [total_time] => 0.188868 [namelookup_time] => 0.014198 [connect_time] => 0.048308 [pretransfer_time] => 0.132596 [size_upload] => 0 [size_download] => 28 [speed_download] => 148 [speed_upload] => 0 [download_content_length] => -1 [upload_content_length] => 0 [starttransfer_time] => 0.188769 [redirect_time] => 0 [request_header] => GET /oauth/v2/get_token?oauth_consumer_key=dj0yJmk9U0R3THE3djlNTFJhJmQ9WVdrOWFXSkliVXc0Tm1VbWNHbzlNQS0tJnM9Y29uc3VtZXJzZWNyZXQmeD1kMA--&oauth_nonce=82034603&oauth_signature=Shr%2BLzThvuf7oOCQEmRy4I4VCUA%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1394453120&oauth_token=hp3rzu8&oauth_verifier=qmnxbs&oauth_version=1.0 HTTP/1.1 Host: api.login.yahoo.com Accept: / Authorization: OAuth realm="yahooapis.com",oauth_version="1.0",oauth_nonce="82034603",oauth_timestamp="1394453120",oauth_consumer_key="dj0yJmk9U0R3THE3djlNTFJhJmQ9WVdrOWFXSkliVXc0Tm1VbWNHbzlNQS0tJnM9Y29uc3VtZXJzZWNyZXQmeD1kMA--",oauth_token="hp3rzu8",oauth_verifier="qmnxbs",oauth_signature_method="HMAC-SHA1",oauth_signature="Shr%2BLzThvuf7oOCQEmRy4I4VCUA%3D" ) [1] => HTTP/1.1 401 Forbidden Date: Mon, 10 Mar 2014 12:05:20 GMT P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" WWW-Authenticate: OAuth oauth_problem=token_rejected Connection: close Transfer-Encoding: chunked Content-Type: application/x- Cache-Control: private [2] => oauth_problem=token_rejected [3] => Array ( [oauth_problem] => token_rejected ) )

    0

Recent Posts

in Fantasy Sports API