oAuth signature_invalid response on get_token

No matter what I do I get signature_invalid in Step 4 of the oAuth process : "Exchange the Request Token and OAuth Verifier for an Access Token (get_token)" http://developer.yahoo.com/oauth/guide/oauth-accesstoken.html.

My step 1 URL looks like this: https://api.login.yahoo.com/oauth/v2/get_request_token?oauth_nonce=xacipf0qejd&oauth_timestamp=1382726837&oauth_consumer_key=xxxxJmk9RE03cGp0b3ppa24zJmQ9WVdrOWVqUTNVbk5yTXpRbWNHbzlNamczT1RVM01UWXkmcz1jb25zdW1lcnNlY3JldCZ4PTYz&oauth_signature_method=plaintext&oauth_signature=xxxx5fde119aa9c04205cafd656b3e60eef78d77%26&oauth_version=1.0&xoauth_lang_pref=\"en-us\"&oauth_callback=http://www.fitrme.net/YahooContact

I then get the authorization page URL:


and then make the request in Step 4 with this url. The oauth_signature is correctly constructed with the consumer_secret, the %26 because it's plaintext, then the token_secret returned from Step 1:


The token secret in the oauthsignature is correct. I also tried changing method to HMAC-SHA1 and removing the %26 but I get the same signature_invalid error.

What else could possibly be causing this? (Note I changed the first 4 digits in the consumer key and secret).

thanks Lawrence

3 Replies
  • I am having exact same error,

    I have tried using the yahoo php sdk , and also manually created the request. please let me know if anyone found a solution.

  • i have made a work around for this and got it to work,

    1. when u request the request token, the response has oauth_token and oauth_Secret
    2. save the oauth_secret in some temp place (i used memcache for storing the secret)
    3. when u want to get the access token , create the signature with oauth_token , and the oauth_secret that you previously stored.
    4. that worked for me.
  • Thanks Abrar. I found the cause of my problem. The Yahoo documentation here http://developer.yahoo.com/oauth/guide/oauth-accesstoken.html is confusing.

    For Step 4, for oauth_signature the documentation says:

    "The concatenated Consumer Secret and Token Secret separated by an "&" character. If you are using the PLAINTEXT signature method, add %26 at the end of the Consumer Secret. "

    But if you look at the example provided, it actually doesn't have a "&" between the Consumer Secret and Token Secret:


    So removing the "&" fixed the problem for me.


Recent Posts

in OAuth General Discussion YDN SDKs