TLDR: Used the FatSecret PHP library. ProfileRequestScriptSessionKey
works out of the box. If I change the URL and query parameters (for 3-
legged authentication), but otherwise use the same OAuth
infrastructure for signing, it comes back with "invalid signature".
Are you expecting a different process for signing requests to 3-legged
authentication than to the platform API?
Howdy,
Below I have given what I believe is a complete description of the
problem. I apologize for its length, but I made it as short as
possible.
I spent some time this weekend trying to set up 3-legged
authentication for FatSecret. This is how FatSecret defines their
protocol:
http://platform.fatsecret.com/api/Default.aspx?screen=rapitlsa
My first goal is the first step: get a Request Token. Part of this
process is correctly signing the request according to FatSecret's use
of the OAuth protocol:
http://platform.fatsecret.com/api/Default.aspx?screen=rapiauth#correctly_signing
I tried to use the PHP library that FatSecret provides:
http://platform.fatsecret.com/api/Default.aspx?screen=res
I installed this library and tried the examples. I had to update the
library, changing calls to "split" into calls to "explode" since split
is deprecated in PHP 5.3, which I am using. After that simple step,
however, the examples worked. The requests were signed, their
signatures accepted, and I could get a session key. I isolated one of
the tests for ProfileRequestScriptSessionKey:
$FS = new FatSecretAPI('consumer_key', 'consumer_secret');
$auth = array(
'user_id'=>'
te...@example.com',
'token' => NULL,
'secret' => NULL,
);
$sessionKey;
$FS->ProfileRequestScriptSessionKey($auth, null, null, null, false,
$sessionKey);
This test works, and you can see it run on my site. Each time you
refresh this page, you will see a new session key for an example user
(along with some debugging output):
http://thejohnfreeman.com/fatsecret-php/example/test1.php
I then tried to add a function to the library for obtaining Request
Tokens. I modeled it after the ProfileRequestScriptSessionKey
function:
function GetRequestToken() {
$url = '
http://www.fatsecret.com/oauth/request_token?
oauth_callback=oob';
$oauth = new OAuthBase();
$normalizedUrl;
$normalizedRequestParameters;
$signature = $oauth->GenerateSignature($url, $this-
>_consumerKey,
$this->_consumerSecret, NULL, NULL, $normalizedUrl,
$normalizedRequestParameters);
$postString = $normalizedRequestParameters . '&' .
OAuthBase::$OAUTH_SIGNATURE . '=' . urlencode($signature);
return $this->GetQueryResponse($normalizedUrl, $postString);
}
This is essentially the same function as
ProfileRequestScriptSessionKey, except with a different URL - I used
the one given in the instructions for 3-legged authentication. I
tested it similarly to above:
$FS = new FatSecretAPI('consumer_key', 'consumer_secret');
$reqToken = $FS->GetRequestToken();
For some reason, the signatures for this are considered invalid. You
can see it in action on my site:
http://thejohnfreeman.com/fatsecret-php/example/test2.php
What's the deal here?