0

Yet Another 401 'signature_invalid' Problem

Hello Team Yahoo,

I have spent the last two days on this particular issue and I not have been unable to resolve the issue. I have followed the OAuth documentation online as precisely as possible:

http://developer.yahoo.com/oauth/guide/

Despite having numerous issues with each step, I managed to get pass step 4 (exchanging the Request token and OAuth Verifier for an access Token).

However as with many other developers the major stumbling block once again is the signing part.:

http://developer.yahoo.com/oauth/guide/oauth-signing.html

Following these instructions have proved to be little help, many of the important and critical details seems to have been left out!

For example, during the base string creation: the OAuth parameters have to be sorted alphabetically. Further there are issues with how characters are URL encoded, e.g. they have to be in the upper case format.

There are many, small but critical details like these that are missing from the above online yahoo OAuth guide. Due to this I have had to rely on information obtained from extensive searching online, pulled from various forums and blogs.

I’m using C# and asp.net with Visual Studio 2008. The OAuth helper Class I am using has been obtained from here:

http://oauth.googlecode.com/svn/code/csharp/OAuthBase.cs

From my understanding this is recommend by Yahoo documentation.

Below is my signing code (in C#):

private void GetYahooContacts()
{
//;==================================================
//;Step 1: Build the base String.
//;==================================================

BasicOAuthBase __oe = new BasicOAuthBase();

string __nonce = __oe.GenerateNonce();
string __timestamp = __oe.GenerateTimeStamp();
Uri __apiURL = new Uri(string.Format("http://social.yahooapis.com/v1/user/{0}/contacts?format=XML", Session["UserGUID"]));
string __strAPI = __apiURL.ToString();

string normedURL = "";
string requestedParms = "";


//;==================================================
//;Step 2: Generating the Signature
//;==================================================

string __signature = __oe.GenerateSignature(__apiURL
, ConfigurationSettings.AppSettings["OAuthKey"].ToString()
, ConfigurationSettings.AppSettings["OAuthSharedSecret"].ToString()
, Session["AccessToken"].ToString()
, Session["AccessSecret"].ToString()
, "GET"
, __timestamp
, __nonce
, BasicOAuthBase.SignatureTypes.HMACSHA1
, out normedURL
, out requestedParms);

//;==================================================
//;Step 3: Actually Making the API Call
//;==================================================
try
{
string __returnStr = string.Empty;

HttpWebRequest __request = (HttpWebRequest)WebRequest.Create(__strAPI);
__request.Method = "GET";

string authHeader = "Authorization: OAuth "
+ "realm=\"yahooapis.com\""
+ ",oauth_consumer_key=\"" + ConfigurationSettings.AppSettings["OAuthKey"].ToString() + "\""
+ ",oauth_nonce=\"" + __nonce + "\""
+ ",oauth_signature_method=\"HMAC-SHA1\""
+ ",oauth_timestamp=\"" + __timestamp + "\""
+ ",oauth_token=\"" + UrlEncode(Session["AccessToken"].ToString()) + "\""
+ ",oauth_version=\"1.0\""
+ ",oauth_signature=\"" + UrlEncode(__signature) + "\"";

__request.Headers.Add(authHeader);

HttpWebResponse res = (HttpWebResponse)__request.GetResponse();
StreamReader streamReader = new StreamReader(res.GetResponseStream());
__returnStr = streamReader.ReadToEnd();
}
catch (WebException ex)
{
Throw;
}
}



Each time I attempt to make this call using this signing code, I get the 401 error code:





The remote server returned an error: (401) Unauthorized.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
length: 6
stack trace: at System.Net.HttpWebRequest.GetResponse() at InviteAFriend._Default.GetYahooContacts() in C:\Projects\Projects Web\InviteAFriend\InviteAFriend\InviteAFriend\Invite.aspx.cs:line 577
status: ProtocolError
Status Code: (401) Unauthorized
Status Description: Authorization Required
source: System
headers: 0: 0
headers: 1: chunked
headers: 2: keep-alive
headers: 3: private
headers: 4: application/xml
headers: 5: Wed, 13 Oct 2010 08:46:12 GMT
headers: 6: YTS/1.19.4
headers: 7: HTTP/1.1 r4.ycpi.uls.yahoo.net (YahooTrafficServer/1.19.4 [cMsSf ])
headers: 8: OAuth oauth_problem="signature_invalid", realm="yahooapis.com"





The RAW data:

Here is the actual ‘request string’::

http://social.yahooapis.com/v1/user/XH5JYZ...acts?format=XML

Here is the actual ‘authorisation header’ that is added to the above request string:

Authorization: OAuth realm="yahooapis.com",oauth_consumer_key="dj0yJmk9OHdpTXM4aXp5SkV1JmQ9WVdrOVRXOVFUVkYxTnpnbWNHbzlNQS0tJnM9Y29uc3VtZXJ
zZWNyZXQmeD05Nw--",oauth_nonce="1700362",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1286959805",oauth_token="A%3D_rrzhF_rgyehd8A0yVUX9bgRnFAuXJ0ssTcjpAcDCyZmG7V6dR.IGw67YNsbUkPjzG_sYM2K74Bxng
bGOqjDMEF2uSOjFnuiC3uGMl_D58UC30GW0Vkse0nlfijDPruIrBs4SickbMKH3Ozp7Z_RhhtverLrH62
QqPnO.3kwFtO5GalPqfGQPIYWflsTJWTYBbbO6yBsgMCOcEEUqn8IxMrB2eI4S2U6dYPYrR13F8RndkxT
MMdOPUZ9ZHUJtXs7IH7Gjqv064klxkM6_EZcFFWJjmBpRkeMc9oZPxkG3VyogrcrMh6RWdkDfEmbq8sNV
A7tTYjwQ0kCo1TTk4Fwp1DxUMldGpixZ7Wn.zHs089w.HmcdjfwnwFhP9GQB9W_o0Xc7sp6sIJIemFq19
XQ_aWfqzjt54OJ7_X6RJslvb7jz3Q5TO8dMyPRlM0cEMbp9.7d3ka4dajJJy9eIdtD5eqXVvlN4WqV6_S
CbGUwDvFhHYdfCycfYMYMFKbdnp1lZ0_em8S684w2CFcBkHkjpZcAnT2DhLAOdSc2T24obYR7LrUEtXD_
PxMMbnwuuBBBKWYAHfKxVx2ZOHeA986auLN7ZuDn7H7F02gjo8dHp329YY4YcxqQl9c4_j6gzYVvyMN63
AmzVGo26lHw8lP60JOZU591Y1oPY34_fllOeQQ3ETMeWS_rvusom7j.5MFIaZ4T7oIFf_m6sCkYnxZ2iy
X.vcGzLzVuR5DNuwO79cQLIDiCjM.2cVUY8G3KJUcKAtX_iC8-",oauth_version="1.0",oauth_signature="E0Y7YI7oDYg2%2B6%2B9J0ahBgaYaks%3D"

If you would like the Consumer Key and Shared Secret, I can post these as well, as this is just a test development key.

Please can someone help resolve this issue as soon as possible?

Kind Regards,
Anhar Miah

by
6 Replies
  • Can any one help?

    this is getting very frustrating.

    It is a very trivial task, get users list of email contacts (post consent).

    Out of using three API's (Google, MSN, Yahoo):

    MSN has worked, but their "Security Scopes" means that the ONE thing I require (the emails) are not retrievable! and the process of getting the required access is almost deliberately hidden/obfuscated.

    Only Google's has worked with Zero issues and worked perfectly. Why does Yahoo and MSN have to make things more complicated then required?

    Sadly its this very kind of frustration that leads developers to use screen scraping in order to complete the required task.

    King Regards,
    Anhar
    0
  • Hello Anhar..

    I am in a very similar situation.

    You must be using the same example project I used (oauth.test.aspx) .

    In the production environment it works fine, in which domain are you trying to use it?
    0
  • QUOTE (Amadeus Silva @ Oct 22 2010, 04:34 AM) <{POST_SNAPBACK}>
    Hello Anhar..

    I am in a very similar situation.

    You must be using the same example project I used (oauth.test.aspx) .

    In the production environment it works fine, in which domain are you trying to use it?



    Hello Amadeus,

    Currently it is running in my localhost, I have not put it up to the production server, usually we develop locally, then move to test server then to production server.

    I have used the "oob" parameter such that the user is required to enter the key manually.

    Do you think that I will need to create another key with a domain that I can then map locally?
    0
  • Hello Anhar.

    I think it is not possible to test dev with the same Consumer Key.

    I never tried to get another Consumer Key for dev but i think it's not possible either.

    As I told you it is only working in production...
    0
  • "I have not put it up to the production server, usually we develop locally, then move to test server then to production server."

    The method here is the same, but it is not always possible ^^.
    0
  • I tried to get a Consumer Key for development, but though it says you can skip domain verification it fails domain verification (??).
    0

Recent Posts

in OAuth General Discussion YDN SDKs