0

signature_invalid

On occasion, some of my users are receiving the following error:

401 WWW-Authenticate: OAuth oauth_problem="signature_invalid", realm="yahooapis.com"

This is well after they have been authorized, and beyond the 1 hour mark, so they token should have already refreshed before they make a request.

99% of the time this works for my users, but like I said on a rare occasion my error logs show this error.


oauth_token="A%3D_o58qj3QvFHA5nN.wOqCfiuwxQVRtfhkcrRAXkqkDS5d_.VvNJpMKICszjTiIwAmgVHvzkYTDD_Xf5
OoamdKDlcPYG3BGQ7RaIv97O951WCvvUsWD7WA3friDMyk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx--", oauth_consumer_key="dj0yJmxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxOQ--", oauth_version="1.0", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1278650046", oauth_nonce="-945200453", oauth_signature="MiI%2FlofAHYyp0sBxxxxxxxxxxxxxxxxxxxxFDgCQ%3D"


What I have noticed is that in every single time I see one of these errors in my log, the oauth_token starts out "A%3D.

Any idea on why I could get a signature_invalid? Does this mean the token needs to be refreshed again? All of the headers look good to me and this error has only occured a handful of times.

by
10 Replies
  • Hi,

    Can you please send the complete HTTP request and response and
    the Signature Base String that you use for the signature
    calculation? Except for consumer secret and access token secret,
    you can send all the other information. Because the access token
    secret is only valid for one hour, you can send it after it
    expires so no harm can happen to your user.

    Thanks,
    Yu Wang
    Yahoo! Membership Team
    0
  • QUOTE (omiga @ Jul 9 2010, 02:59 PM) <{POST_SNAPBACK}>
    Hi,

    Can you please send the complete HTTP request and response and
    the Signature Base String that you use for the signature
    calculation? Except for consumer secret and access token secret,
    you can send all the other information. Because the access token
    secret is only valid for one hour, you can send it after it
    expires so no harm can happen to your user.

    Thanks,
    Yu Wang
    Yahoo! Membership Team



    Hi Yu,

    Here is the data:
    response:
    401 WWW-Authenticate: OAuth oauth_problem="signature_invalid", realm="yahooapis.com"Authorization Required

    request headers:
    oauth_token="A%3DCtDAoEXAuirnY_umv7TS1Sr.J18w31eT2SIzBiTvpHefgHCgk35..wmxq42as59.YEnobIHbQizpkx
    YFUKdZtFsJg9COABBrSdleRLXIC5R_eHaTCi7XtTU81T6h.8X_O36w_VUlPXBVIQH0h1a.hsMteeUsUNf
    8ezlXUlSmi5RYNrjsS0Hd3tEHDaU6XT3F1Zn9GrAdHbav2dcXLALBak5amdXtkAuGOSjYfQ_3dUoQrzkN
    a9eMJIBtkUY2KdyohquKAdS6Fas.lnrI35wgu4AzTHoViT1ZzN1w3aWtWjD1wZDqsr7BMDIwMEGXuKzzT
    jX33mZpBa413aR8vNcuz.F5gEYGfjkGcP5uNw1vK_RNjIfzrPRraiY7vdqoJKSP65NeSQnVh73M.Fjm1r
    curw8RocPaMVtVLnxEHccp_nSe3Ro7eW40s.9vy3UZny7H1QGP3vk2Zy6WF7CpJYBBG.Wb4M4ZIrsI7RL
    c5CE0yomIvpNEx4VRuj8zJIGmfvfVp0WQRzDhRX9sT6HaofzyegjWU7gLk3Mu_E.YZtfNpDknS79jSGo1
    _BR9C0pENGfKTfwxt1zUwGug6qEghizxMRDxLvnw4_38tHbx1TIhz_uqVskFyI_R708c3Cm9syCBPLoch
    ..V29aFZN5wfF1HHAsnk93zu80hz8chBeeHg0O3tQ78W.FK9QIRbRS_dQzhSPeGjdsYnHijrRTRL_2u98
    M-", oauth_session_handle="AM_dJkz6EhRZxmNTymlbIYk3XHIvji6r6xHEarV3FOHDsBJnpPP0", oauth_consumer_key="dj0yJmk9R1lVMUR3cjJMNGRQJmQ9WVdrOVJFTm1kV2x3TkRRbWNHbzlNQS0tJnM9Y29uc3VtZXJ
    zZWNyZXQmeD1hMw--", oauth_version="1.0",
    oauth_signature_method="HMAC-SHA1",
    oauth_timestamp="1278796634",
    oauth_nonce="211752408",
    oauth_signature="BqDwaMh6BNG1oK7gcgZ3RQv3YLo%3D"

    Here is the signature base string:
    GET&http%3A%2F%2Ffantasysports.yahooapis.com%2Ffantasy%2Fv2%2Fleague%2F238.l.558819%2Fplayers%3Bsearch%3Dde%2520la%2520rosa%3Bout%3Dstats%2Cownership%2Cpercent_owned&format%3Djson%26oauth_consumer_key%3Ddj0yJmk9R1lVMUR3cjJMNGRQJmQ9WVdrOVJFTm1kV2x3TkRRbWNHbzlNQS0tJnM9Y29uc3VtZXJzZW
    NyZXQmeD1hMw--%26oauth_nonce%3D211752408%26oauth_session_handle%3DAM_dJkz6EhRZxmNTymlbIYk3XHIvji6r6xHEarV3FOHDsBJnpPP0%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1278796634%26oauth_token%3DA%253DCtDAoEXAuirnY_umv7TS1Sr.J18w31eT2SIzBiTvpHefgHCgk35..wmxq42as59.YEnobIHbQizp
    kxYFUKdZtFsJg9COABBrSdleRLXIC5R_eHaTCi7XtTU81T6h.8X_O36w_VUlPXBVIQH0h1a.hsMteeUsU
    Nf8ezlXUlSmi5RYNrjsS0Hd3tEHDaU6XT3F1Zn9GrAdHbav2dcXLALBak5amdXtkAuGOSjYfQ_3dUoQrz
    kNa9eMJIBtkUY2KdyohquKAdS6Fas.lnrI35wgu4AzTHoViT1ZzN1w3aWtWjD1wZDqsr7BMDIwMEGXuKz
    zTjX33mZpBa413aR8vNcuz.F5gEYGfjkGcP5uNw1vK_RNjIfzrPRraiY7vdqoJKSP65NeSQnVh73M.Fjm
    1rcurw8RocPaMVtVLnxEHccp_nSe3Ro7eW40s.9vy3UZny7H1QGP3vk2Zy6WF7CpJYBBG.Wb4M4ZIrsI7
    RLc5CE0yomIvpNEx4VRuj8zJIGmfvfVp0WQRzDhRX9sT6HaofzyegjWU7gLk3Mu_E.YZtfNpDknS79jSG
    o1_BR9C0pENGfKTfwxt1zUwGug6qEghizxMRDxLvnw4_38tHbx1TIhz_uqVskFyI_R708c3Cm9syCBPLo
    ch..V29aFZN5wfF1HHAsnk93zu80hz8chBeeHg0O3tQ78W.FK9QIRbRS_dQzhSPeGjdsYnHijrRTRL_2u
    98M-%26oauth_version%3D1.0

    Please note that I am unable to capture the packets, since these errors are occuring on user devices.
    0
  • A little more info, this error seems to be occuring whenever the query string contains a space that has been URL encoded.

    For example:
    GET&http%3A%2F%2Ffantasysports.yahooapis.com%2Ffantasy%2Fv2%2Fleague%2F238.l.558819%2Fplayers%3Bsearch%3Dde%2520la%2520rosa%3Bout%3Dstats%2Cownership%2Cpercent_owned&format%3Djson

    will cause the error, but:

    GET&http%3A%2F%2Ffantasysports.yahooapis.com%2Ffantasy%2Fv2%2Fleague%2F238.l.558819%2Fplayers%3Bsearch%3Dpujols%3Bout%3Dstats%2Cownership%2Cpercent_owned&format%3Djson

    will be accepted.
    0
  • Here is another error using a different http request:


    401 WWW-Authenticate: OAuth oauth_problem="signature_invalid", realm="yahooapis.com"Authorization Required oauth_token="A%3De2hx.o7hnzBqR1_MEforCU.HMRL5IztObvVRePvdRqlxD_5W3xZFbrtybKI9oHsejmDRF7o1ZWxSM4
    f5EDsyz1v06Wt4faij0qav3eokSc0AM1hBR6FAH2LIZsgpYZ2anTNVIhQGWNRsbLW3ah.W.bkwPIH6NH_
    vh8F8bfcmZL2M8IsikmfiGpgnwQQS6838XxoLxkg5L15aKs8ox8s1FKx2_6QVrrn2GzmDRAA81hJ0vj1X
    GIugmSaOZtx09_TWyT0iZmNpL8X0faVY.yaJHzvCq0zvH7ciB3NDXpaDbSMWtuBJegqE5uwFRUHS9Av.x
    JEf2dyB.PckrlV5cUSnbKBVoALfN54n8uKXtBkud4JnPDvXfx26My50iW.LCTulB.kpG_Kn1FjLSdpJLy
    hOf6BZMfxcc9ULnHN_ldw9_cVYQYc5Da7IaDftLncdWqhjbIFXrg9SF0Fty_tszl7kjtF9pZyOcG19PZ5
    bbQ25Mlg93PC58sT0oM8q3TmLG6DfuG2Y59J9Z4.7t9ikGxM8QiIIyxs99NZMgDlKFjGUYjLJyZfWKF7q
    oRqFYhRG8IxvtDabS8Tv714p_xV7CuJ_0re_UgP2VJWNrH1JsC71oAxDCYNA5u3e_iTM7Ks.nIHLQi.h9
    _jRdRLbKN2i6KL5a6UtNNuuBy_7mKEb6Hgb3W9cdYIDdhY8RKiLh9F7F1jRhdk28B94vWw5p1HLEcY_kM
    43", oauth_session_handle="AJ1uNkzVjvecJH5RipdeeCq116FSgKU5k6cU3D87Px3g4CQMEQ--", oauth_consumer_key="dj0yJmk9WFMxWVA3N1FaQ0EwJmQ9WVdrOWNUbHNTREIxTTJVbWNHbzlOelkzT0RRME1UWXkmcz1
    jb25zdW1lcnNlY3JldCZ4PTBm", oauth_version="1.0",
    oauth_signature_method="HMAC-SHA1",
    oauth_timestamp="1278787973",
    oauth_nonce="1390475851",
    oauth_signature="%2B77wAb8uvmotbx7tIC1h1F5x6L8%3D"

    Signature Base String: GET&http%3A%2F%2Ffantasysports.yahooapis.com%2Ffantasy%2Fv2%2Fleague%2F238.l.245053%2Fscoreboard%3Bweek%3D14%2Fmatchups&format%3Djson%26oauth_consumer_key%3Ddj0yJmk9WFMxWVA3N1FaQ0EwJmQ9WVdrOWNUbHNTREIxTTJVbWNHbzlOelkzT0RRME1UWXkmcz1jb2
    5zdW1lcnNlY3JldCZ4PTBm%26oauth_nonce%3D1390475851%26oauth_session_handle%3DAJ1uNkzVjvecJH5RipdeeCq116FSgKU5k6cU3D87Px3g4CQMEQ--%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1278787973%26oauth_token%3DA%253De2hx.o7hnzBqR1_MEforCU.HMRL5IztObvVRePvdRqlxD_5W3xZFbrtybKI9oHsejmDRF7o1ZWxS
    M4f5EDsyz1v06Wt4faij0qav3eokSc0AM1hBR6FAH2LIZsgpYZ2anTNVIhQGWNRsbLW3ah.W.bkwPIH6N
    H_vh8F8bfcmZL2M8IsikmfiGpgnwQQS6838XxoLxkg5L15aKs8ox8s1FKx2_6QVrrn2GzmDRAA81hJ0vj
    1XGIugmSaOZtx09_TWyT0iZmNpL8X0faVY.yaJHzvCq0zvH7ciB3NDXpaDbSMWtuBJegqE5uwFRUHS9Av
    .xJEf2dyB.PckrlV5cUSnbKBVoALfN54n8uKXtBkud4JnPDvXfx26My50iW.LCTulB.kpG_Kn1FjLSdpJ
    LyhOf6BZMfxcc9ULnHN_ldw9_cVYQYc5Da7IaDftLncdWqhjbIFXrg9SF0Fty_tszl7kjtF9pZyOcG19P
    Z5bbQ25Mlg93PC58sT0oM8q3TmLG6DfuG2Y59J9Z4.7t9ikGxM8QiIIyxs99NZMgDlKFjGUYjLJyZfWKF
    7qoRqFYhRG8IxvtDabS8Tv714p_xV7CuJ_0re_UgP2VJWNrH1JsC71oAxDCYNA5u3e_iTM7Ks.nIHLQi.
    h9_jRdRLbKN2i6KL5a6UtNNuuBy_7mKEb6Hgb3W9cdYIDdhY8RKiLh9F7F1jRhdk28B94vWw5p1HLEcY_
    kM43%26oauth_version%3D1.0
    0
  • Hi,

    I can generate the same signature base string as you. I'll need to
    check why we get different signatures.

    Thanks,
    Yu Wang
    0
  • QUOTE (omiga @ Jul 12 2010, 04:23 PM) <{POST_SNAPBACK}>
    Hi,

    I can generate the same signature base string as you. I'll need to
    check why we get different signatures.

    Thanks,
    Yu Wang


    Hi Yu,

    Can you post or send me the signature you generate from this base string? I'll will help me track down the issue if it is a signature generation problem on my side.
    0
  • QUOTE (joeyjoejoe61 @ Jul 13 2010, 05:24 PM) <{POST_SNAPBACK}>
    Hi Yu,

    Can you post or send me the signature you generate from this base string? I'll will help me track down the issue if it is a signature generation problem on my side.


    Hi Yu,

    I have tracked down a certain call that will cause a signature_invalid message every time.

    The consumer secret and token secret used to generate the signature should be fine...After I receive the signature invalid error on the below call, I can still make other api calls successfully.

    Since I can repeat this error I can get access to the rest of the data used in generating the signature. I would like to compare notes here to see if maybe the issue is with my signing code.

    Here is my source code for generating the signature:
    String keyString = OAuth.percentEncode(getConsumerSecret()) + '&'
    + OAuth.percentEncode(getTokenSecret());
    byte[] keyBytes = keyString.getBytes(OAuth.ENCODING);

    javax.crypto.SecretKey key = new SecretKeySpec(keyBytes, MAC_NAME);
    javax.crypto.Mac mac = Mac.getInstance(MAC_NAME);
    mac.init(key);

    sbs = new SignatureBaseString(request, requestParams).generate();

    byte[] text = sbs.getBytes(OAuth.ENCODING);

    return base64Encode(mac.doFinal(text)).trim();




    Here are the details:

    oauth_problem="signature_invalid", realm="yahooapis.com"Authorization Required type is oauth Authorization OAuth oauth_token="A%3DgjU4Wh7uvDaD.M30ZIiMHz3.NU3BBJrmFYEECKUnZYzHHKl1Bixsfj_WUoCPTwr9i3icD.6Z82nawZ
    PWthMxJ9k1wV.Q227oCS87mEk8The03p.yoLBeqKz4Be06jOvKDUZ9uWvw6epO8eipZx.iKVnrIKvoMxB
    W.lCqHHzWR.9ix67q_zaeIkOJmJrs0egiOswG61hDiVXn69LPoX9VnR3BTu1YH1ZYtmwJES7KOC9g1Dad
    ZaXO00usMPZ_BA7j92dNWpkiJsxuLUD5OqMj0hwM11pYmwgBlUtTwsvyY5JCJEovmR1ci..Smb6yqrUYm
    Ao1rmnXvWUACWyh.yd.vGT0SlSkNARY25Bb6Mbsne3Qz_HxJkq4n7vtWuJe9Hk4luz8btXDsissOIxFOl
    i0rp2EV.aklitNeFWjVwcyCcfNen0vL_DhAILyFIE5WSXYmNQ4szo4erqY5ya.bylhxSgOgdW.oNol81A
    eZg6mE8Fn9qL9kwsPr1XRkdxDNZpeXxXu4oE.BT2B2hp0vKGZ9FHKBlw4Ety3TCBCxNyP7EyA9USzn_j.
    7jV5knqg0Qt1Z8Hebk2sqfV4sJPjhnPLIEqTzFLw19UDe8jriRuzde6JFEwZ8gChETurslE9dBwvVTa.Y
    b3yCJ5G51wouPfrrNSD2cdrMNnMrEOAadbgCHyc_9T8l90K6PFOLik91azxqj2M1j.i.IJbLYqJiVlCcj
    Q-", oauth_session_handle="AM_dJkz6EhRZxmNTymlbIYk3XHIvji6r6xHEarV3FOHDsBJnpPP0", oauth_consumer_key="dj0yJmk9R1lVMUR3cjJMNGRQJmQ9WVdrOVJFTm1kV2x3TkRRbWNHbzlNQS0tJnM9Y29uc3VtZXJ
    zZWNyZXQmeD1hMw--", oauth_version="1.0", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1279073399", oauth_nonce="592188752", oauth_signature="JE1qX65IQ5H%2FBuKafdJi4hedUn0%3D" GET&http%3A%2F%2Ffantasysports.yahooapis.com%2Ffantasy%2Fv2%2Fteam%2F242.l.58138.t.9%2Fstats%3Btype%3Dweek%3Bweek%3D1&format%3Djson%26oauth_consumer_key%3Ddj0yJmk9R1lVMUR3cjJMNGRQJmQ9WVdrOVJFTm1kV2x3TkRRbWNHbzlNQS0tJnM9Y29uc3VtZXJzZW
    NyZXQmeD1hMw--%26oauth_nonce%3D592188752%26oauth_session_handle%3DAM_dJkz6EhRZxmNTymlbIYk3XHIvji6r6xHEarV3FOHDsBJnpPP0%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1279073399%26oauth_token%3DA%253DgjU4Wh7uvDaD.M30ZIiMHz3.NU3BBJrmFYEECKUnZYzHHKl1Bixsfj_WUoCPTwr9i3icD.6Z82na
    wZPWthMxJ9k1wV.Q227oCS87mEk8The03p.yoLBeqKz4Be06jOvKDUZ9uWvw6epO8eipZx.iKVnrIKvoM
    xBW.lCqHHzWR.9ix67q_zaeIkOJmJrs0egiOswG61hDiVXn69LPoX9VnR3BTu1YH1ZYtmwJES7KOC9g1D
    adZaXO00usMPZ_BA7j92dNWpkiJsxuLUD5OqMj0hwM11pYmwgBlUtTwsvyY5JCJEovmR1ci..Smb6yqrU
    YmAo1rmnXvWUACWyh.yd.vGT0SlSkNARY25Bb6Mbsne3Qz_HxJkq4n7vtWuJe9Hk4luz8btXDsissOIxF
    Oli0rp2EV.aklitNeFWjVwcyCcfNen0vL_DhAILyFIE5WSXYmNQ4szo4erqY5ya.bylhxSgOgdW.oNol8
    1AeZg6mE8Fn9qL9kwsPr1XRkdxDNZpeXxXu4oE.BT2B2hp0vKGZ9FHKBlw4Ety3TCBCxNyP7EyA9USzn_
    j.7jV5knqg0Qt1Z8Hebk2sqfV4sJPjhnPLIEqTzFLw19UDe8jriRuzde6JFEwZ8gChETurslE9dBwvVTa
    .Yb3yCJ5G51wouPfrrNSD2cdrMNnMrEOAadbgCHyc_9T8l90K6PFOLik91azxqj2M1j.i.IJbLYqJiVlC
    cjQ-%26oauth_version%3D1.0
    0
  • Hi,

    The signature string I generated based on your comment
    (http://developer.yahoo.net/forum/index.php?showtopic=6211&view=findpost&p=16870)
    is 'H8nDtJPcE2bpU0dCnnsCJW/ZQvM=':

    Do you still have the access token secret around to verify? The
    access token secret I use is "d3...aa". I think the likely
    cause is that probably you don't have the right access token
    secret.

    Thanks,
    Yu Wang
    0
  • QUOTE (omiga @ Jul 14 2010, 11:18 AM) <{POST_SNAPBACK}>
    Hi,

    The signature string I generated based on your comment
    (http://developer.yahoo.net/forum/index.php?showtopic=6211&view=findpost&p=16870)
    is 'H8nDtJPcE2bpU0dCnnsCJW/ZQvM=':

    Do you still have the access token secret around to verify? The
    access token secret I use is "d3...aa". I think the likely
    cause is that probably you don't have the right access token
    secret.

    Thanks,
    Yu Wang


    Hi Yu,

    I don't have the token secret for that particular exchange. I do have other api calls that will consistently generate a signature invalid, I can send you the signature base string, as well as token secret for those particular call. Do you have an email address I could send my token secret to you to evaluate?
    0
  • Hi,

    You can send it to yuwang AT yahoo-inc.com.

    Thanks,
    Yu Wang
    0

Recent Posts

in OAuth General Discussion YDN SDKs