Yet Another 401 'signature_invalid' Problem

Hello Team Yahoo,

I have spent the last two days on this particular issue and I not have been unable to resolve the issue. I have followed the OAuth documentation online as precisely as possible:


Despite having numerous issues with each step, I managed to get pass step 4 (exchanging the Request token and OAuth Verifier for an access Token).

However as with many other developers the major stumbling block once again is the signing part.:


Following these instructions have proved to be little help, many of the important and critical details seems to have been left out!

For example, during the base string creation: the OAuth parameters have to be sorted alphabetically. Further there are issues with how characters are URL encoded, e.g. they have to be in the upper case format.

There are many, small but critical details like these that are missing from the above online yahoo OAuth guide. Due to this I have had to rely on information obtained from extensive searching online, pulled from various forums and blogs.

I’m using C# and asp.net with Visual Studio 2008. The OAuth helper Class I am using has been obtained from here:


From my understanding this is recommend by Yahoo documentation.

Below is my signing code (in C#):

private void GetYahooContacts()
//;Step 1: Build the base String.

BasicOAuthBase __oe = new BasicOAuthBase();

string __nonce = __oe.GenerateNonce();
string __timestamp = __oe.GenerateTimeStamp();
Uri __apiURL = new Uri(string.Format("http://social.yahooapis.com/v1/user/{0}/contacts?format=XML", Session["UserGUID"]));
string __strAPI = __apiURL.ToString();

string normedURL = "";
string requestedParms = "";

//;Step 2: Generating the Signature

string __signature = __oe.GenerateSignature(__apiURL
, ConfigurationSettings.AppSettings["OAuthKey"].ToString()
, ConfigurationSettings.AppSettings["OAuthSharedSecret"].ToString()
, Session["AccessToken"].ToString()
, Session["AccessSecret"].ToString()
, "GET"
, __timestamp
, __nonce
, BasicOAuthBase.SignatureTypes.HMACSHA1
, out normedURL
, out requestedParms);

//;Step 3: Actually Making the API Call
string __returnStr = string.Empty;

HttpWebRequest __request = (HttpWebRequest)WebRequest.Create(__strAPI);
__request.Method = "GET";

string authHeader = "Authorization: OAuth "
+ "realm=\"yahooapis.com\""
+ ",oauth_consumer_key=\"" + ConfigurationSettings.AppSettings["OAuthKey"].ToString() + "\""
+ ",oauth_nonce=\"" + __nonce + "\""
+ ",oauth_signature_method=\"HMAC-SHA1\""
+ ",oauth_timestamp=\"" + __timestamp + "\""
+ ",oauth_token=\"" + UrlEncode(Session["AccessToken"].ToString()) + "\""
+ ",oauth_version=\"1.0\""
+ ",oauth_signature=\"" + UrlEncode(__signature) + "\"";


HttpWebResponse res = (HttpWebResponse)__request.GetResponse();
StreamReader streamReader = new StreamReader(res.GetResponseStream());
__returnStr = streamReader.ReadToEnd();
catch (WebException ex)

Each time I attempt to make this call using this signing code, I get the 401 error code:

The remote server returned an error: (401) Unauthorized.
length: 6
stack trace: at System.Net.HttpWebRequest.GetResponse() at InviteAFriend._Default.GetYahooContacts() in C:\Projects\Projects Web\InviteAFriend\InviteAFriend\InviteAFriend\Invite.aspx.cs:line 577
status: ProtocolError
Status Code: (401) Unauthorized
Status Description: Authorization Required
source: System
headers: 0: 0
headers: 1: chunked
headers: 2: keep-alive
headers: 3: private
headers: 4: application/xml
headers: 5: Wed, 13 Oct 2010 08:46:12 GMT
headers: 6: YTS/1.19.4
headers: 7: HTTP/1.1 r4.ycpi.uls.yahoo.net (YahooTrafficServer/1.19.4 [cMsSf ])
headers: 8: OAuth oauth_problem="signature_invalid", realm="yahooapis.com"

The RAW data:

Here is the actual ‘request string’::


Here is the actual ‘authorisation header’ that is added to the above request string:

Authorization: OAuth realm="yahooapis.com",oauth_consumer_key="dj0yJmk9OHdpTXM4aXp5SkV1JmQ9WVdrOVRXOVFUVkYxTnpnbWNHbzlNQS0tJnM9Y29uc3VtZXJ

If you would like the Consumer Key and Shared Secret, I can post these as well, as this is just a test development key.

Please can someone help resolve this issue as soon as possible?

Kind Regards,
Anhar Miah

6 Replies
  • Can any one help?

    this is getting very frustrating.

    It is a very trivial task, get users list of email contacts (post consent).

    Out of using three API's (Google, MSN, Yahoo):

    MSN has worked, but their "Security Scopes" means that the ONE thing I require (the emails) are not retrievable! and the process of getting the required access is almost deliberately hidden/obfuscated.

    Only Google's has worked with Zero issues and worked perfectly. Why does Yahoo and MSN have to make things more complicated then required?

    Sadly its this very kind of frustration that leads developers to use screen scraping in order to complete the required task.

    King Regards,
  • Hello Anhar..

    I am in a very similar situation.

    You must be using the same example project I used (oauth.test.aspx) .

    In the production environment it works fine, in which domain are you trying to use it?
  • QUOTE (Amadeus Silva @ Oct 22 2010, 04:34 AM) <{POST_SNAPBACK}>
    Hello Anhar..

    I am in a very similar situation.

    You must be using the same example project I used (oauth.test.aspx) .

    In the production environment it works fine, in which domain are you trying to use it?

    Hello Amadeus,

    Currently it is running in my localhost, I have not put it up to the production server, usually we develop locally, then move to test server then to production server.

    I have used the "oob" parameter such that the user is required to enter the key manually.

    Do you think that I will need to create another key with a domain that I can then map locally?
  • Hello Anhar.

    I think it is not possible to test dev with the same Consumer Key.

    I never tried to get another Consumer Key for dev but i think it's not possible either.

    As I told you it is only working in production...
  • "I have not put it up to the production server, usually we develop locally, then move to test server then to production server."

    The method here is the same, but it is not always possible ^^.
  • I tried to get a Consumer Key for development, but though it says you can skip domain verification it fails domain verification (??).

Recent Posts

in OAuth General Discussion YDN SDKs