Yahoo Social Platform - AS3 signature_invalid

Here's my AIR application, I'm having some issues with the any calls after I've successfully received the Access Token. In the doSubmit() function, am I creating the oauth_signature correction? I'm not clear about what I'm doing wrong...

Any help would be greatly appreciated.

<?xml version="1.0" encoding="utf-8"?>
<mx:WindowedApplication xmlns:mx="http://www.adobe.com/2006/mxml" layout="absolute"

import com.yahoo.social.YahooUser;
import com.yahoo.oauth.OAuthToken;
import com.yahoo.social.events.YahooResultEvent;
import com.yahoo.oauth.OAuthUtil;
import com.yahoo.oauth.OAuthConsumer;
import com.yahoo.oauth.OAuthRequest;
import com.yahoo.social.YahooSession;
import com.yahoo.oauth.OAuthConnection;
public static const CONSUMER_KEY:String = "MY_CONSUMER_KEY";
public static const CONSUMER_SECRET:String = "MY_CONSUMER_SECRET";
public static const APP_ID:String = "MY_APP_ID";

public static const REQ_URL:String = "https://api.login.yahoo.com/oauth/v2/get_request_token";

private var yahooSession:YahooSession;
private var consumer:OAuthConsumer;
private var _token:OAuthToken;
private var _user:YahooUser;

public function requestToken():void {
yahooSession = new YahooSession(CONSUMER_KEY, CONSUMER_SECRET, APP_ID);
consumer = new OAuthConsumer(CONSUMER_KEY, CONSUMER_SECRET);
yahooSession.auth.addEventListener(YahooResultEvent.GET_REQUEST_TOKEN_SUCCESS, handleRequestTokenSuccess);

private function handleRequestTokenSuccess(event:YahooResultEvent):void
// save the request token and use it to send the user to the authorize page
// then after the user has finished, use it again to request an access token.

_token = event.data as OAuthToken;

private function doEnter():void {
// fetch the oauth_verifier. this string may be typed
// into your application by the user or returned via the callback url.
var verifier:String = ti.text;

yahooSession.auth.addEventListener(YahooResultEvent.GET_ACCESS_TOKEN_SUCCESS, handleAccessTokenSuccess);
yahooSession.auth.addEventListener(YahooResultEvent.GET_ACCESS_TOKEN_FAILURE, handleFailure);
yahooSession.auth.getAccessToken(_token, verifier);

private function handleAccessTokenSuccess(event:YahooResultEvent):void
// save the access token and create a new session.
_token = event.data as OAuthToken;
button.enabled = false;
// set the sessions token.
_user = yahooSession.getSessionedUser();

private function doSubmit():void {

var args:Object = new Object();
args.format = "xml";
args.oauth_version = "1.0";
var date:Date = new Date();

args.oauth_signature = OAuthUtil.hmac_sha1(CONSUMER_SECRET + "&" + _token.secret, _token.key);
args.oauth_consumer_key = CONSUMER_KEY;
args.oauth_signature_method = "HMAC-SHA1";
args.oauth_timestamp = OAuthUtil.generate_timestamp(date);
args.oauth_nonce = OAuthUtil.generate_nonce(date);

var callback:Object = new Object();
callback.success = handleSuccess;
callback.failure = handleFailure;
var connection:OAuthConnection = OAuthConnection.fromConsumerAndToken(consumer, _token);
connection.asyncRequestSigned("GET", urlTI.text, callback, args);


private function handleSuccess(response:Object):void
var xml:XML = response.responseXML; // grab the parsed xml object.
resultTA.text = xml.toString();

private function handleFailure(response:Object):void
<mx:HBox width="100%" x="0" height="40">
<mx:Label text="Authorization Code"/>
<mx:TextInput id="ti"/>
<mx:Button label="Submit" click="doEnter()" id="button" />
<mx:HBox width="100%" x="0" y="50" height="40" >
<mx:TextInput width="100%" id="urlTI" text="http://fantasysports.yahooapis.com/fantasy/v2/users;use_login=1" />
<mx:Button label="Submit" click="doSubmit()" />

<mx:TextArea y="100" height="100%" width="100%" id="resultTA" />


1 Reply
  • It looks like, when you're generating the signature, you're just signing the token key? But you really need to be signing the "base string" for the request. This page goes into a little detail about what that means:


    And this comment has a PHP code example:


    Basic flow:

    1) Formulate your oauth params, basically urlencoding all values.
    2) Construct your base string, urlencoding the method, URL, and params (delimited by non-urlencoded '&'s)
    3) Generate the secret, which is the urlencoded consumer secret concatenated with the urlencoded access token secret (delimited by non-urlencoded '&'s)
    4) Generate the signature, which is the base64 encoding of the HMAC-SHA1 hash of the base string by the secret.
    5) Append the params and the urlencoded signature to the request to generate the final request.

    Does that help?

Recent Posts

in Fantasy Sports API