Signatures valid unless it's for 3-legged authentication

133 views
Skip to first unread message

John Freeman

unread,
Feb 12, 2012, 4:05:05 PM2/12/12
to FatSecret Platform API
TLDR: Used the FatSecret PHP library. ProfileRequestScriptSessionKey
works out of the box. If I change the URL and query parameters (for 3-
legged authentication), but otherwise use the same OAuth
infrastructure for signing, it comes back with "invalid signature".

Are you expecting a different process for signing requests to 3-legged
authentication than to the platform API?

Howdy,

Below I have given what I believe is a complete description of the
problem. I apologize for its length, but I made it as short as
possible.

I spent some time this weekend trying to set up 3-legged
authentication for FatSecret. This is how FatSecret defines their
protocol:

http://platform.fatsecret.com/api/Default.aspx?screen=rapitlsa

My first goal is the first step: get a Request Token. Part of this
process is correctly signing the request according to FatSecret's use
of the OAuth protocol:

http://platform.fatsecret.com/api/Default.aspx?screen=rapiauth#correctly_signing

I tried to use the PHP library that FatSecret provides:

http://platform.fatsecret.com/api/Default.aspx?screen=res

I installed this library and tried the examples. I had to update the
library, changing calls to "split" into calls to "explode" since split
is deprecated in PHP 5.3, which I am using. After that simple step,
however, the examples worked. The requests were signed, their
signatures accepted, and I could get a session key. I isolated one of
the tests for ProfileRequestScriptSessionKey:

$FS = new FatSecretAPI('consumer_key', 'consumer_secret');
$auth = array(
'user_id'=>'te...@example.com',
'token' => NULL,
'secret' => NULL,
);
$sessionKey;
$FS->ProfileRequestScriptSessionKey($auth, null, null, null, false,
$sessionKey);

This test works, and you can see it run on my site. Each time you
refresh this page, you will see a new session key for an example user
(along with some debugging output):

http://thejohnfreeman.com/fatsecret-php/example/test1.php

I then tried to add a function to the library for obtaining Request
Tokens. I modeled it after the ProfileRequestScriptSessionKey
function:

function GetRequestToken() {
$url = 'http://www.fatsecret.com/oauth/request_token?
oauth_callback=oob';

$oauth = new OAuthBase();

$normalizedUrl;
$normalizedRequestParameters;

$signature = $oauth->GenerateSignature($url, $this-
>_consumerKey,
$this->_consumerSecret, NULL, NULL, $normalizedUrl,
$normalizedRequestParameters);

$postString = $normalizedRequestParameters . '&' .
OAuthBase::$OAUTH_SIGNATURE . '=' . urlencode($signature);

return $this->GetQueryResponse($normalizedUrl, $postString);
}

This is essentially the same function as
ProfileRequestScriptSessionKey, except with a different URL - I used
the one given in the instructions for 3-legged authentication. I
tested it similarly to above:

$FS = new FatSecretAPI('consumer_key', 'consumer_secret');
$reqToken = $FS->GetRequestToken();

For some reason, the signatures for this are considered invalid. You
can see it in action on my site:

http://thejohnfreeman.com/fatsecret-php/example/test2.php

What's the deal here?

John Freeman

unread,
Feb 13, 2012, 5:12:59 PM2/13/12
to FatSecret Platform API
I'm not sure how I missed the fact that there were more than 10
threads in this group. I'm an idiot. I did a search, and the answer to
my problem is that FatSecret's request token URL only accepts GET
requests:

http://groups.google.com/group/fatsecret-platform-api/browse_thread/thread/d4df4f4ee45d4927/2586db712f8887ce

This thread is from March of last year. It was suggested that
FatSecret would eventually support POST for 3-legged authentication.
At the very least, I think the documentation could be easily updated
in the mean time.
Reply all
Reply to author
Forward
0 new messages