0

What did I do wrong here? (code included)

I am getting the signature invalid error, I must have made some mistakes when normalizing the url or when signing the request, can someone advise please?

 
$oauth_nonce = microtime(true);
$oauth_timestamp = time();
$oauth_consumer_key = 'dj0yJmk9YVB5RUdiYU9LQ3UzJmQ9WVdrOVduWkJaM1ZITXpBbWNHbzlOekEyT1RFNU1UWXkmcz1jb25zdW1lcnNlY3JldCZXXXXX';
$oauth_consumer_secret = 'b261dd14407e555c13dadc0064438962bbeXXXXX';
$oauth_signature_method = 'plaintext';
$oauth_signature = 'b261dd14407e555c13dadc0064438962bbeXXXXX';
$oauth_callback = 'http://www.useralbum.com/import-yahoo-callback.html';


$request_url = 'https://api.login.yahoo.com/oauth/v2/get_request_token?
oauth_nonce='.$oauth_nonce.'
&oauth_timestamp='.$oauth_timestamp.'
&oauth_consumer_key='.$oauth_consumer_key.'
&oauth_signature_method=HMAC-SHA1
&oauth_version=1.0
&oauth_lang_pref=en-us
&oauth_callback='.$oauth_callback; 

// removing the new_line character
$request_url = str_replace("\n", '', $request_url);

// trying to create a base string
$base_string = 'GET&'.urlencode($request_url);

// creating a signature
$request_signature = urlencode(base64_encode(hash_hmac('sha1', $base_string, $oauth_consumer_secret.'&', true)));

// append signature
$request_url .= '&oauth_signature='.$request_signature;

header("Location: $request_url");
exit;

by
2 Replies
  • Adrian,

    One thing I see wrong is that your request url has a ? "get_request_token?oauth_nonce" Recall that for normalizing the base string, you must not use a question mark to separate the URL from the query parameters, you must use only the ampersand character, &.


    QUOTE(Adrian @ 25 Oct 2012 4:03 AM)
    I am getting the signature invalid error, I must have made some mistakes when normalizing the url or when signing the request, can someone advise please?

     
    $oauth_nonce = microtime(true);
    $oauth_timestamp = time();
    $oauth_consumer_key = 'dj0yJmk9YVB5RUdiYU9LQ3UzJmQ9WVdrOVduWkJaM1ZITXpBbWNHbzlOekEyT1RFNU1UWXkmcz1jb25zdW1lcnNlY3JldCZXXXXX';
    $oauth_consumer_secret = 'b261dd14407e555c13dadc0064438962bbeXXXXX';
    $oauth_signature_method = 'plaintext';
    $oauth_signature = 'b261dd14407e555c13dadc0064438962bbeXXXXX';
    $oauth_callback = 'http://www.useralbum.com/import-yahoo-callback.html';
    
    
    $request_url = 'https://api.login.yahoo.com/oauth/v2/get_request_token?
    oauth_nonce='.$oauth_nonce.'
    &oauth_timestamp='.$oauth_timestamp.'
    &oauth_consumer_key='.$oauth_consumer_key.'
    &oauth_signature_method=HMAC-SHA1
    &oauth_version=1.0
    &oauth_lang_pref=en-us
    &oauth_callback='.$oauth_callback; 
    
    // removing the new_line character
    $request_url = str_replace("\n", '', $request_url);
    
    // trying to create a base string
    $base_string = 'GET&'.urlencode($request_url);
    
    // creating a signature
    $request_signature = urlencode(base64_encode(hash_hmac('sha1', $base_string, $oauth_consumer_secret.'&', true)));
    
    // append signature
    $request_url .= '&oauth_signature='.$request_signature;
    
    header("Location: $request_url");
    exit;
    0
  • Thanks for the reply, I wish there was more activity on the forums because I see many people have same problems (properly signing the requests).
    I managed to fix it after many days of testing and reading, of course now it looks simple :)

    Things people should look for when signing requests:

    • Unlike normal urls that has variables after a "?" sign, with a normalized URL you need to replace that with an "&".
    • The URL variables need to be placed in alphabetical order
    • Of course, remove the oauth_signature url variable, normalize that URL and append this variable and its value later
    • Encode that base string with these functions: urlencode(base64_encode(hash_hmac()));

    Here is my working PHP code doing the first signed request
     
    <?php 
    
    $oauth_nonce = microtime(true);
    $oauth_timestamp = time();
    $oauth_consumer_key = 'dj0yJmk9YVB5RUdiYU9LQ3UzJmQ9WVdrOVduWkJaM1ZITXpBbWNHbzlOekEyT1RFNU1UWXkmcz1jb25zdWXXXXXXXXXXXXX';
    $oauth_consumer_secret = 'b261dd14407e555c13dadc00XXXXXXXXXXXX';
    $oauth_signature_method = 'HMAC-SHA1';
    $oauth_signature = 'b261dd14407e555c13dadc006XXXXXXXXXX';
    $oauth_callback = 'http://www.my-site.com/import-yahoo-callback.html';
    
    
    // !!! when "normalizing" the URL variables have to be in alpahbetical order 
    $request_url = 'https://api.login.yahoo.com/oauth/v2/get_request_token?
    oauth_callback='.urlencode($oauth_callback).'
    &oauth_consumer_key='.$oauth_consumer_key.'
    &oauth_nonce='.$oauth_nonce.'
    &oauth_signature_method='.$oauth_signature_method.'
    &oauth_timestamp='.$oauth_timestamp.'
    &oauth_version=1.0
    &xoauth_lang_pref=en-us';
    // remove the new_line character
    $request_url = str_replace("\n", '', $request_url);
    
    // create a base string
    $base_string = $request_url;
    $base_string = 'GET&'.urlencode($base_string);
    // repalce the encoded "?" with an "&" AFTER url encode, so that it is the only "&" remaining unencoded
    $base_string = str_replace("%3F", "&", $base_string);
    // encode the base string into signature
    $request_signature = urlencode(base64_encode(hash_hmac('sha1', $base_string, $oauth_consumer_secret.'&', true)));
    // append the signature
    $request_url .= '&oauth_signature='.$request_signature;
    
    $request_response = file_get_contents($request_url);
    
    echo($request_response);
    ?>


    1

Recent Posts

in OAuth General Discussion YDN SDKs