Could not verify Pre-approved Request Token (OpenID) sent from Yahoo

I'm trying to use Yahoo samples in getting to use OpenID according to the sample at http://developer.yahoo.com/oauth/guide/request-token.html

After the user authorizes the access, the redirect to my site occurs, but i'm not able to successfully verify the HMAC-SHA1 signature made by Yahoo.
i have reviewed the specs and the sample source code that is out there, but I cannot verify the exact values of signaturebase and hmac keys that yahoo servers are making.
I tried to "guess" the signature base and key format and also conformed to the principals at http://developer.yahoo.com/oauth/guide/oauth-signing.html  but with no luck.

since every byte counts and can make a completely different HMAC-SHA1 signature i wonder if there is some sort of a test vector scenario that will explain to me how yahoo builds their signature on the data (starting by deriving the right HMAC-SHA1 keys from consumerSecret and then detailing the signature base)

Help appreciated

3 Replies
  • Editing Tools
  • Hi,

    I report something similar but in the other direction "exchange pre-approve token for an access token", i can't generate the right signature for yahoo, did you find a solution ?


    I have an error report by yahoo when i want to exchange my pre approved request token to a new access token. Yahoo said the signature is invalid. How can i debug this problem ? (I know the signature process work well with pure OAuth style access)

    Any help welcome.

  • did you tried to concatenate these 2 string with "&" ?

    the consumer secret + token secret
    and from these 2 string, when you do concatenate with "&" will be

    your consumer secret + "%26" + token secret

    The consumer secret key, you will get when you register a new application, and the token secret you have to get from the request token method

    if you use the oauth method, you have to get this token secret, or if you use the openid method the token secret is absent, and you don't have to send it, just:

    your consumer secret + "%26"

Recent Posts

in OAuth General Discussion YDN SDKs