Invalid Signature requesting access token - stumped

I'm on step 4 where I swap the oauth verifer for an access token and I keep getting invalid signature. I'm using the C# OauthBase code from http://oauth.net/code/ which I've modified to sort the parameters correctly, and added optional callbackURL and OauthVerifier parameters. I've tried umpty-gazillion variations of what parameters I've included, but haven't hit on the correct combination yet.

Here is the latest combination of parameters that I've tried:


(I've xxxx'd some of the values to protect my account:o)

Obviously, this list of parameters exactly matches this list here: http://developer.yahoo.com/oauth/guide/oau...ccesstoken.html

I got the request token using an HMAC-SHA1 signature, so I don't think that is the problem. I'd be happy to hear any thoughts.


2 Replies
  • Hi Dave,

    Can you please provide the ckey and signature? Actually
    there is no secrecy in the ckey because in the OAuth flow,
    any user can see it in the request parameters.

    Also the oauth_token and oauth_verifier are valid for
    only about 10 minutes and you can use a test account to
    go through the flow to protect your personal account.

    With that, can you please also provide the Signature Base

    Yu Wang
    Yahoo! Membership Team
  • Is your oauth_signature the concatenation of the application secret & token secret ?

    From http://oauth.net/core/1.0/#anchor16

    The HMAC-SHA1 signature method uses the HMAC-SHA1 signature algorithm as defined in [RFC2104] (Krawczyk, H., Bellare, M., and R. Canetti, “HMAC: Keyed-Hashing for Message Authentication,” .) where the Signature Base String is the text and the key is the concatenated values (each first encoded per Parameter Encoding (Parameter Encoding)) of the Consumer Secret and Token Secret, separated by an ‘&’ character (ASCII code 38) even if empty.

Recent Posts

in OAuth General Discussion YDN SDKs