"401 unauthorized" when I try to get access_token
985 views
Skip to first unread message
zed
Jul 28, 2010, 3:45:43 PM7/28/10
to Etsy API V2
I am very new to oAuth and I am have some problems to get
acces_token
this is the URL that my application uses and I got "401 unauthorized":
http://openapi.etsy.com/v2/sandbox/oauth/access_token?oauth_consumer_key=mykey&oauth_nonce=E0C815BCAEA4F89D6C02287D968B2D66&oauth_signature_method=HMAC-SHA1&oauth_signature=EA3NeBK64tU24Te3flyw0tZUH9c%3D&oauth_timestamp=1280344760&oauth_token=mytoken&oauth_verifier=PIN&oauth_version=1.0
My application is desktop, so, the PIN Value was entered just after
the user allowed the application.
"You've granted EstyTool permission to connect to your account! Please
return to the application and enter the following verification code:
xxxxxx
I tryied to put a trailer after the PIN NUMBER, as I heard in this
forum.. but no luck.
In the docs, says:
"Note: There is a small window of time between obtaining a request
token, and authorizing it against a user's account. If this window is
exceeded, you will need to restart the OAuth process."
I hope this isn't too short, it will be nice to know the size of this
windows...
I am using oAuth for Delphi, it is very good:
http://chuckbeasley.com/index.php/2009/04/29/using-oauth-for-delphi/
But his class doesn't have oath_verifier, I did it my self, maybe this
is the problem.
Can someone help me?
zed
Jul 29, 2010, 1:25:15 PM7/29/10
to Etsy API V2
I was looking at myAccount on Esty dev, and at the Top "5 Error
Response Codes", I am having are:
401 Invalid signature
403 ERR_403_NOT_AUTHORIZED
401 Invalid or Expired Token
The exception at my app is only showing "401 unauthorized".
On Jul 28, 4:45 pm, zed <dht.siste...@gmail.com> wrote:
> I am very new to oAuth and I am have some problems to get
> acces_token
>
> this is the URL that my application uses and I got "401 unauthorized":
>
zed
Aug 4, 2010, 8:54:13 PM8/4/10
to Etsy API V2
Can someone take a look at what I am sending ( access_token ) and I am
getting an invalid signature.
GET /v2/sandbox/oauth/access_token?
oauth_consumer_key=mykey&oauth_nonce=424B77458BA3615E2E690EBD8FFAEEC0&oauth_signature_method=HMAC-
SHA1&oauth_signature=WG8VIBnP%2BzpnoVgukLni3fvCHcQ
%3D&oauth_timestamp=1280969308&oauth_token=cvt5jbxakxqhn7xagr47h6bv&oauth_verifier=6f6560aa&oauth_version=1.0
HTTP/1.1<EOL>Host:
openapi.etsy.com<EOL>Accept: text/html, */*<EOL>Accept-Encoding:
identity<EOL>User-Agent: Mozilla/3.0 (compatible; Indy
Library)<EOL><EOL>
HTTP/1.1 401 Unauthorized<EOL>X-Mashery-Responder: proxyworker-
i-6866f301.mashery.com<EOL>X-Mashery-Error-Code:
ERR_401_INVALID_SIGNATURE<EOL>Content-Type: text/xml<EOL>Accept-
Ranges: bytes<EOL>Content-Length: 30<EOL>Date: Thu, 05 Aug 2010
00:48:28 GMT<EOL>Server: Mashery Proxy<EOL><EOL><h1>401 Invalid
Signature</h1>
Thanks.
Zed
Eric (etsykit)
Aug 4, 2010, 9:57:52 PM8/4/10
to etsy-...@googlegroups.com
Zed I don't think the request you've posted can be grossly identified
as malformed. The most likely cause of an invalid signature is likely
to be logical errors in the creation and/or encryption of the signature
base string, which isn't really something you can spot visually once the
request is made.
as malformed. The most likely cause of an invalid signature is likely
to be logical errors in the creation and/or encryption of the signature
base string, which isn't really something you can spot visually once the
request is made.
The best approach is to review the OAuth spec starting at
http://oauth.net/core/1.0a/#anchor43 and compare each step of the token
request process against the actions of your code, especially the part
about creating signatures. The OAuth spec explains exactly what you
must do and provides examples, so it's really a very good reference.
In particular I would check these things:
Make sure the parameters are being alphabetically ordered when creating
the signature base string
Make sure the signature base string gets URL encoded prior to encryption
Make sure the correct secrets are being used in the correct order when
encrypting the base string
Follow the spec through the request creation process and you'll probably
locate the error along the way.
Eric
GraGra33
Aug 4, 2010, 10:17:23 PM8/4/10
to Etsy API V2
Are you having any success with public methods?
You haven't explained exactly what you're attempting to do...
'access_token' is used in a multi step process to obtain a private
user Token & TokenSecret set of keys... Do you have success in calling
'request_token'?
You haven't explained exactly what you're attempting to do...
'access_token' is used in a multi step process to obtain a private
user Token & TokenSecret set of keys... Do you have success in calling
'request_token'?
zed
Aug 5, 2010, 7:00:31 AM8/5/10
to Etsy API V2
On 4 ago, 23:17, GraGra33 <gragr...@gmail.com> wrote:
> Are you having any success with public methods?
look at them in the docs, but I thought to use Esty Api v2 I need the
oAuth.
> You haven't explained exactly what you're attempting to do...
step 2 - access_token Failed
> 'access_token' is used in a multi step process to obtain a private
> user Token & TokenSecret set of keys... Do you have success in calling
> 'request_token'?
Stat Connected.
Sent 8/4/2010 9:48:10 PM: GET /v2/sandbox/oauth/request_token?
oauth_consumer_key=myKEY&oauth_nonce=20D6EB0D8492DCF76779795FEB15E7EB&oauth_signature_method=HMAC-
SHA1&oauth_signature=7sN8kFknVElUQeGJuz%2BjLhA4jIM
%3D&oauth_timestamp=1280969289&oauth_version=1.0 HTTP/1.1<EOL>Host:
openapi.etsy.com<EOL>Accept: text/html, */*<EOL>Accept-Encoding:
identity<EOL>User-Agent: Mozilla/3.0 (compatible; Indy
Library)<EOL><EOL>
Recv 8/4/2010 9:48:10 PM: HTTP/1.1 200 OK<EOL>X-Mashery-Responder:
identity<EOL>User-Agent: Mozilla/3.0 (compatible; Indy
Library)<EOL><EOL>
proxyworker-i-6f66f306.mashery.com<EOL>Content-Type: text/
plain<EOL>Accept-Ranges: bytes<EOL>Content-Length: 182<EOL>Date: Thu,
05 Aug 2010 00:48:10 GMT<EOL>Server: Mashery
Proxy<EOL><EOL>oauth_token=cvt5jbxakxqhn7xagr47h6bv&oauth_token_secret=AwQ9bVf25jm3&oauth_consumer_key=myKEY&oauth_callback=&login_url=https
%3A%2F%2Fwww.etsy.com%2Foauth%2Fsignin
Stat Disconnected.
This is the access_token, that I am receinving invalid signature
Stat Connected.
Sent 8/4/2010 9:48:28 PM: GET /v2/sandbox/oauth/access_token?
oauth_consumer_key=myKEY&oauth_nonce=424B77458BA3615E2E690EBD8FFAEEC0&oauth_signature_method=HMAC-
SHA1&oauth_signature=WG8VIBnP%2BzpnoVgukLni3fvCHcQ
%3D&oauth_timestamp=1280969308&oauth_token=cvt5jbxakxqhn7xagr47h6bv&oauth_verifier=6f6560aa&oauth_version=1.0
HTTP/1.1<EOL>Host: openapi.etsy.com<EOL>Accept: text/html, */
*<EOL>Accept-Encoding: identity<EOL>User-Agent: Mozilla/3.0
(compatible; Indy Library)<EOL><EOL>
Recv 8/4/2010 9:48:28 PM: HTTP/1.1 401 Unauthorized<EOL>X-Mashery-
%3D&oauth_timestamp=1280969308&oauth_token=cvt5jbxakxqhn7xagr47h6bv&oauth_verifier=6f6560aa&oauth_version=1.0
HTTP/1.1<EOL>Host: openapi.etsy.com<EOL>Accept: text/html, */
*<EOL>Accept-Encoding: identity<EOL>User-Agent: Mozilla/3.0
(compatible; Indy Library)<EOL><EOL>
Responder: proxyworker-i-6866f301.mashery.com<EOL>X-Mashery-Error-
Code: ERR_401_INVALID_SIGNATURE<EOL>Content-Type: text/xml<EOL>Accept-
Ranges: bytes<EOL>Content-Length: 30<EOL>Date: Thu, 05 Aug 2010
00:48:28 GMT<EOL>Server: Mashery Proxy<EOL><EOL><h1>401 Invalid
Signature</h1>
So, I can request the token, but can't access it. My application is
Code: ERR_401_INVALID_SIGNATURE<EOL>Content-Type: text/xml<EOL>Accept-
Ranges: bytes<EOL>Content-Length: 30<EOL>Date: Thu, 05 Aug 2010
00:48:28 GMT<EOL>Server: Mashery Proxy<EOL><EOL><h1>401 Invalid
Signature</h1>
desktop.
Thanks,
Zed.
zed
Aug 5, 2010, 9:41:06 AM8/5/10
to Etsy API V2
On 4 ago, 22:57, "Eric (etsykit)" <e...@etsykit.com> wrote:
> Zed I don't think the request you've posted can be grossly identified
> as malformed. The most likely cause of an invalid signature is likely
> to be logical errors in the creation and/or encryption of the signature
> base string, which isn't really something you can spot visually once the
> request is made.
>
> request process against the actions of your code, especially the part
> about creating signatures. The OAuth spec explains exactly what you
> must do and provides examples, so it's really a very good reference.
>
> In particular I would check these things:
>
> Make sure the parameters are being alphabetically ordered when creating
> the signature base string
>
> Make sure the signature base string gets URL encoded prior to encryption
>
> Make sure the correct secrets are being used in the correct order when
> encrypting the base string
>
> Follow the spec through the request creation process and you'll probably
> locate the error along the way.
>
> Eric
>
Eric,
> about creating signatures. The OAuth spec explains exactly what you
> must do and provides examples, so it's really a very good reference.
>
> In particular I would check these things:
>
> Make sure the parameters are being alphabetically ordered when creating
> the signature base string
>
> Make sure the signature base string gets URL encoded prior to encryption
>
> Make sure the correct secrets are being used in the correct order when
> encrypting the base string
>
> Follow the spec through the request creation process and you'll probably
> locate the error along the way.
>
> Eric
>
I checked the order, and oAuth_version is the last one, so after I
changed it, I got a different error. I think the signature now is ok.
I am reading the specs as you told me.
This is what I have now:ERR_403_NOT_AUTHORIZED
Stat Connected.
Sent 8/5/2010 10:32:07 AM: GET /v2/sandbox/oauth/access_token?
oauth_consumer_key=myKey&oauth_nonce=E1288B733D02EC478C331F80F5223D6F&oauth_signature_method=HMAC-
SHA1&oauth_signature=KCvNM8aUTtme7QkdNxr%2F82GJYqM
%3D&oauth_timestamp=1281015126&oauth_token=czusaghg7hg9uhdj62zpfs5t&oauth_version=1.0
HTTP/1.1<EOL>Host: openapi.etsy.com<EOL>Accept: text/html, */
*<EOL>Accept-Encoding: identity<EOL>User-Agent: Mozilla/3.0
(compatible; Indy Library)<EOL><EOL>
Recv 8/5/2010 10:32:07 AM: HTTP/1.1 403 Forbidden<EOL>X-Mashery-
*<EOL>Accept-Encoding: identity<EOL>User-Agent: Mozilla/3.0
(compatible; Indy Library)<EOL><EOL>
Responder: proxyworker-i-3966f350.mashery.com<EOL>X-Mashery-Error-
Code: ERR_403_NOT_AUTHORIZED<EOL>Content-Type: text/xml<EOL>Accept-
Ranges: bytes<EOL>Content-Length: 27<EOL>Date: Thu, 05 Aug 2010
13:32:08 GMT<EOL>Server: Mashery Proxy<EOL><EOL><h1>403 Not
Authorized</h1>
I don't know why I am getting this "403 Not Authorized" ....
I did a test ... waiting longer to access the token I got
"Proxy<EOL><EOL><h1>401 Invalid Or Expired Token</h1>"
Thank you,
Zed.
Eric (etsykit)
Aug 5, 2010, 10:18:58 AM8/5/10
to etsy-...@googlegroups.com
Zed I think you have 1 more bug related to adding oauth_verifier to your
delphi library. You have fixed the first bug (when you added
oauth_verifier the first time, you originally added it to the end of the
parameter list (after oauth_version) which broke the alphabetical order
& broke your signature base string).
delphi library. You have fixed the first bug (when you added
oauth_verifier the first time, you originally added it to the end of the
parameter list (after oauth_version) which broke the alphabetical order
& broke your signature base string).
Now the bug you have is, you are not including the verifier in the
request for the access token, so you need to add it there as well. This
is probably why you are getting a not authorized.
If you wait too long to send the request, I think it makes sense that
the the token would expire; that scenario sounds like it is by design.
Eric
zed
Aug 6, 2010, 7:47:32 AM8/6/10
to Etsy API V2
Eric,
After some tests I realize that if I don't send the oAuth_verifier I
got ERR_403_NOT_AUTHORIZED. Ok I fixed it.
With the oAuth_verifier, in the alphabetical order, I got
ERR_401_INVALID_SIGNATURE
I am still reading the specs and trying to figured out.
Below is the send/rec. log.
Thanks,
Zed.
Stat Connected.
Sent 8/6/2010 8:31:38 AM: GET /v2/sandbox/oauth/request_token?
oauth_consumer_key=mykey&oauth_nonce=136EC1EE86D67A3B3E92C73EDDCA6FA5&oauth_signature_method=HMAC-
SHA1&oauth_signature=94vVjXm1%2Bgd5S8PVlxR5GACcHls
%3D&oauth_timestamp=1281094296&oauth_version=1.0 HTTP/1.1<EOL>Host:
openapi.etsy.com<EOL>Accept: text/html, */*<EOL>Accept-Encoding:
identity<EOL>User-Agent: Mozilla/3.0 (compatible; Indy
Library)<EOL><EOL>
Recv 8/6/2010 8:31:38 AM: HTTP/1.1 200 OK<EOL>X-Mashery-Responder:
Library)<EOL><EOL>
proxyworker-i-6f66f306.mashery.com<EOL>Content-Type: text/
plain<EOL>Accept-Ranges: bytes<EOL>Content-Length: 182<EOL>Date: Fri,
06 Aug 2010 11:31:42 GMT<EOL>Server: Mashery
Proxy<EOL><EOL>oauth_token=cq2yym6xgfjpxccv28n34yve&oauth_token_secret=zGPqvj58XxBS&oauth_consumer_key=myKey&oauth_callback=&login_url=https
%3A%2F%2Fwww.etsy.com%2Foauth%2Fsignin
Stat Disconnected.
Stat Connected.
Sent 8/6/2010 8:31:58 AM: GET /v2/sandbox/oauth/access_token?
oauth_consumer_key=myKey&oauth_nonce=F66F93A2DC2A86AD8FE1EADA83CA7371&oauth_signature_method=HMAC-
SHA1&oauth_signature=srIe39isiJ6paBYAQNKHa%2Fhbmuo
%3D&oauth_timestamp=1281094318&oauth_token=cq2yym6xgfjpxccv28n34yve&oauth_version=1.0&oauth_verifier=cb852a83
HTTP/1.1<EOL>Host: openapi.etsy.com<EOL>Accept: text/html, */
*<EOL>Accept-Encoding: identity<EOL>User-Agent: Mozilla/3.0
(compatible; Indy Library)<EOL><EOL>
Recv 8/6/2010 8:31:58 AM: HTTP/1.1 401 Unauthorized<EOL>X-Mashery-
*<EOL>Accept-Encoding: identity<EOL>User-Agent: Mozilla/3.0
(compatible; Indy Library)<EOL><EOL>
Responder: proxyworker-i-5f66f336.mashery.com<EOL>X-Mashery-Error-
Code: ERR_401_INVALID_SIGNATURE<EOL>Content-Type: text/xml<EOL>Accept-
Ranges: bytes<EOL>Content-Length: 30<EOL>Date: Fri, 06 Aug 2010
11:32:02 GMT<EOL>Server: Mashery Proxy<EOL><EOL><h1>401 Invalid
Signature</h1>
zed
Aug 6, 2010, 7:47:50 AM8/6/10
to Etsy API V2
Eric,
After some tests I realize that if I don't send the oAuth_verifier I
got ERR_403_NOT_AUTHORIZED. Ok I fixed it.
With the oAuth_verifier, in the alphabetical order, I got
ERR_401_INVALID_SIGNATURE
I am still reading the specs and trying to figured out.
Below is the send/rec. log.
Thanks,
Zed.
Stat Connected.
Sent 8/6/2010 8:31:38 AM: GET /v2/sandbox/oauth/request_token?
oauth_consumer_key=mykey&oauth_nonce=136EC1EE86D67A3B3E92C73EDDCA6FA5&oauth_signature_method=HMAC-
SHA1&oauth_signature=94vVjXm1%2Bgd5S8PVlxR5GACcHls
openapi.etsy.com<EOL>Accept: text/html, */*<EOL>Accept-Encoding:
identity<EOL>User-Agent: Mozilla/3.0 (compatible; Indy
Library)<EOL><EOL>
Library)<EOL><EOL>
Recv 8/6/2010 8:31:38 AM: HTTP/1.1 200 OK<EOL>X-Mashery-Responder:
proxyworker-i-6f66f306.mashery.com<EOL>Content-Type: text/
plain<EOL>Accept-Ranges: bytes<EOL>Content-Length: 182<EOL>Date: Fri,
06 Aug 2010 11:31:42 GMT<EOL>Server: Mashery
Proxy<EOL><EOL>oauth_token=cq2yym6xgfjpxccv28n34yve&oauth_token_secret=zGPqvj58XxBS&oauth_consumer_key=myKey&oauth_callback=&login_url=https
%3A%2F%2Fwww.etsy.com%2Foauth%2Fsignin
Stat Disconnected.
Stat Connected.
Sent 8/6/2010 8:31:58 AM: GET /v2/sandbox/oauth/access_token?
oauth_consumer_key=myKey&oauth_nonce=F66F93A2DC2A86AD8FE1EADA83CA7371&oauth_signature_method=HMAC-
SHA1&oauth_signature=srIe39isiJ6paBYAQNKHa%2Fhbmuo
%3D&oauth_timestamp=1281094318&oauth_token=cq2yym6xgfjpxccv28n34yve&oauth_version=1.0&oauth_verifier=cb852a83
proxyworker-i-6f66f306.mashery.com<EOL>Content-Type: text/
plain<EOL>Accept-Ranges: bytes<EOL>Content-Length: 182<EOL>Date: Fri,
06 Aug 2010 11:31:42 GMT<EOL>Server: Mashery
Proxy<EOL><EOL>oauth_token=cq2yym6xgfjpxccv28n34yve&oauth_token_secret=zGPqvj58XxBS&oauth_consumer_key=myKey&oauth_callback=&login_url=https
%3A%2F%2Fwww.etsy.com%2Foauth%2Fsignin
Stat Disconnected.
Stat Connected.
Sent 8/6/2010 8:31:58 AM: GET /v2/sandbox/oauth/access_token?
oauth_consumer_key=myKey&oauth_nonce=F66F93A2DC2A86AD8FE1EADA83CA7371&oauth_signature_method=HMAC-
SHA1&oauth_signature=srIe39isiJ6paBYAQNKHa%2Fhbmuo
%3D&oauth_timestamp=1281094318&oauth_token=cq2yym6xgfjpxccv28n34yve&oauth_version=1.0&oauth_verifier=cb852a83
HTTP/1.1<EOL>Host: openapi.etsy.com<EOL>Accept: text/html, */
*<EOL>Accept-Encoding: identity<EOL>User-Agent: Mozilla/3.0
(compatible; Indy Library)<EOL><EOL>
*<EOL>Accept-Encoding: identity<EOL>User-Agent: Mozilla/3.0
(compatible; Indy Library)<EOL><EOL>
Recv 8/6/2010 8:31:58 AM: HTTP/1.1 401 Unauthorized<EOL>X-Mashery-
Responder: proxyworker-i-5f66f336.mashery.com<EOL>X-Mashery-Error-
Code: ERR_401_INVALID_SIGNATURE<EOL>Content-Type: text/xml<EOL>Accept-
Ranges: bytes<EOL>Content-Length: 30<EOL>Date: Fri, 06 Aug 2010
11:32:02 GMT<EOL>Server: Mashery Proxy<EOL><EOL><h1>401 Invalid
Responder: proxyworker-i-5f66f336.mashery.com<EOL>X-Mashery-Error-
Code: ERR_401_INVALID_SIGNATURE<EOL>Content-Type: text/xml<EOL>Accept-
Ranges: bytes<EOL>Content-Length: 30<EOL>Date: Fri, 06 Aug 2010
Signature</h1>
Eric (etsykit)
Aug 6, 2010, 8:31:02 AM8/6/10
to etsy-...@googlegroups.com
I could be missing something but your requests look OK to me.
It raises suspicion that the query string is not ordered:
&oauth_version=1.0
&oauth_verifier=cb852a83
It's OK to send an unordered query to the API; no matter the order, your
library should construct a signature base string from a sorted copy of
those parameters. You might want to verify that.
zed
Aug 6, 2010, 9:11:08 AM8/6/10
to Etsy API V2
Eric,
I changed the order, and got the same error:
I have a doubt about callback URL, as my application is a desktop, I
am using this 'http://www.chuckbeasley.com' , is that ok ?
I am using GET, but at the oAuth specs, I have seen POST for access
token:
"https://photos.example.net/access_token, using HTTP POST"
I have the weekend to have fun with it.
Thanks,
New LOG, with the order change:
Stat Connected.
Sent 8/6/2010 9:47:16 AM: GET /v2/sandbox/oauth/request_token?
oauth_consumer_key=MyKey&oauth_nonce=E084ED8379EC163CD7DD4E81DEDCB30F&oauth_signature_method=HMAC-
SHA1&oauth_signature=0BGph7Gj209wChcOH0t9zAxutaQ
%3D&oauth_timestamp=1281098835&oauth_version=1.0 HTTP/1.1<EOL>Host:
openapi.etsy.com<EOL>Accept: text/html, */*<EOL>Accept-Encoding:
identity<EOL>User-Agent: Mozilla/3.0 (compatible; Indy
Library)<EOL><EOL>
Recv 8/6/2010 9:47:16 AM: HTTP/1.1 200 OK<EOL>X-Mashery-Responder:
identity<EOL>User-Agent: Mozilla/3.0 (compatible; Indy
Library)<EOL><EOL>
proxyworker-i-4e75c627.mashery.com<EOL>Content-Type: text/
plain<EOL>Accept-Ranges: bytes<EOL>Content-Length: 182<EOL>Date: Fri,
06 Aug 2010 12:47:20 GMT<EOL>Server: Mashery
Proxy<EOL><EOL>oauth_token=79gthxkmfzcwww6kfbsann9a&oauth_token_secret=pPRPu9MRJQpX&oauth_consumer_key=MyKey&oauth_callback=&login_url=https
Sent 8/6/2010 9:47:29 AM: GET /v2/sandbox/oauth/access_token?
oauth_consumer_key=MyKey&oauth_nonce=084AF4B4C38B0BDB0FECAC2B859E7427&oauth_signature_method=HMAC-
SHA1&oauth_signature=b6ZPGTKco%2FsmbvVI1agkg%2BLNOSI
%3D&oauth_timestamp=1281098849&oauth_token=79gthxkmfzcwww6kfbsann9a&oauth_verifier=3ccbfba9&oauth_version=1.0
HTTP/1.1<EOL>Host: openapi.etsy.com<EOL>Accept: text/html, */
*<EOL>Accept-Encoding: identity<EOL>User-Agent: Mozilla/3.0
(compatible; Indy Library)<EOL><EOL>
Recv 8/6/2010 9:47:29 AM: HTTP/1.1 401 Unauthorized<EOL>X-Mashery-
*<EOL>Accept-Encoding: identity<EOL>User-Agent: Mozilla/3.0
(compatible; Indy Library)<EOL><EOL>
Responder: proxyworker-i-d43825bc.mashery.com<EOL>X-Mashery-Error-
Code: ERR_401_INVALID_SIGNATURE<EOL>Content-Type: text/xml<EOL>Accept-
Ranges: bytes<EOL>Content-Length: 30<EOL>Date: Fri, 06 Aug 2010
12:47:33 GMT<EOL>Server: Mashery Proxy<EOL><EOL><h1>401 Invalid
Ranges: bytes<EOL>Content-Length: 30<EOL>Date: Fri, 06 Aug 2010
Signature</h1>
Stat Connected.
Sent 8/6/2010 9:47:16 AM: GET /v2/sandbox/oauth/request_token?
oauth_consumer_key=MyKey&oauth_nonce=E084ED8379EC163CD7DD4E81DEDCB30F&oauth_signature_method=HMAC-
SHA1&oauth_signature=0BGph7Gj209wChcOH0t9zAxutaQ
%3D&oauth_timestamp=1281098835&oauth_version=1.0 HTTP/1.1<EOL>Host:
openapi.etsy.com<EOL>Accept: text/html, */*<EOL>Accept-Encoding:
identity<EOL>User-Agent: Mozilla/3.0 (compatible; Indy
Library)<EOL><EOL>
Recv 8/6/2010 9:47:16 AM: HTTP/1.1 200 OK<EOL>X-Mashery-Responder:
identity<EOL>User-Agent: Mozilla/3.0 (compatible; Indy
Library)<EOL><EOL>
proxyworker-i-4e75c627.mashery.com<EOL>Content-Type: text/
plain<EOL>Accept-Ranges: bytes<EOL>Content-Length: 182<EOL>Date: Fri,
06 Aug 2010 12:47:20 GMT<EOL>Server: Mashery
Proxy<EOL><EOL>oauth_token=79gthxkmfzcwww6kfbsann9a&oauth_token_secret=pPRPu9MRJQpX&oauth_consumer_key=MyKey&oauth_callback=&login_url=https
Sent 8/6/2010 9:47:29 AM: GET /v2/sandbox/oauth/access_token?
oauth_consumer_key=MyKey&oauth_nonce=084AF4B4C38B0BDB0FECAC2B859E7427&oauth_signature_method=HMAC-
SHA1&oauth_signature=b6ZPGTKco%2FsmbvVI1agkg%2BLNOSI
%3D&oauth_timestamp=1281098849&oauth_token=79gthxkmfzcwww6kfbsann9a&oauth_verifier=3ccbfba9&oauth_version=1.0
HTTP/1.1<EOL>Host: openapi.etsy.com<EOL>Accept: text/html, */
*<EOL>Accept-Encoding: identity<EOL>User-Agent: Mozilla/3.0
(compatible; Indy Library)<EOL><EOL>
Recv 8/6/2010 9:47:29 AM: HTTP/1.1 401 Unauthorized<EOL>X-Mashery-
*<EOL>Accept-Encoding: identity<EOL>User-Agent: Mozilla/3.0
(compatible; Indy Library)<EOL><EOL>
Responder: proxyworker-i-d43825bc.mashery.com<EOL>X-Mashery-Error-
Code: ERR_401_INVALID_SIGNATURE<EOL>Content-Type: text/xml<EOL>Accept-
Ranges: bytes<EOL>Content-Length: 30<EOL>Date: Fri, 06 Aug 2010
12:47:33 GMT<EOL>Server: Mashery Proxy<EOL><EOL><h1>401 Invalid
Ranges: bytes<EOL>Content-Length: 30<EOL>Date: Fri, 06 Aug 2010
Signature</h1>
Eric (etsykit)
Aug 6, 2010, 9:33:25 AM8/6/10
to etsy-...@googlegroups.com
If you're in a scenario where callback can't be used, you're supposed
to set the value to 'oob', as directed by the OAuth spec:
"If the Consumer is unable to receive callbacks or a callback URL has been established via other means, the parameter value MUST be set to oob (case sensitive), to indicate an out-of-band configuration."
So you should do that. But I don't think that is the cause of your signature problem.
I think your oauth library's original lack of verifier support is the problem here. When you exclude the verifier, your signature is valid. But when you include the verifier, it breaks the signature. The only time you ever include the verifier is when requesting access, so everything works until then. It's as if your oauth library has a hard-coded signature creation process that was never taught how to include the verifier. So it just ignores it. That's my guess.
"If the Consumer is unable to receive callbacks or a callback URL has been established via other means, the parameter value MUST be set to oob (case sensitive), to indicate an out-of-band configuration."
So you should do that. But I don't think that is the cause of your signature problem.
I think your oauth library's original lack of verifier support is the problem here. When you exclude the verifier, your signature is valid. But when you include the verifier, it breaks the signature. The only time you ever include the verifier is when requesting access, so everything works until then. It's as if your oauth library has a hard-coded signature creation process that was never taught how to include the verifier. So it just ignores it. That's my guess.
zed
Aug 6, 2010, 4:42:29 PM8/6/10
to Etsy API V2
Eric,
> I think your oauth library's original lack of verifier support is the problem here. When you exclude the verifier, your signature is valid. But when you include the verifier, it breaks the signature. The only time you ever include the verifier is when requesting access, so everything works until then. It's as if your oauth library has a hard-coded signature creation process that was never taught how to include the verifier. So it just ignores it. That's my guess.
That's true, I thought the signing proccess uses all parameters, but
after some debugging I realize it only uses consumer secret and token
secrect, this works fine in the first step ( request_token ).
if Token <> nil then
begin
consec := TOAuthUtil.urlEncodeRFC3986(Consumer.Secret);
toksec := TOAuthUtil.urlEncodeRFC3986(Token.Secret);
consec := consec + '&' + toksec;
Result := Base64Encode(EncryptHMACSha1(Request.BaseString,
consec))
end
I changed to:
if Token <> nil then
begin
consec := TOAuthUtil.urlEncodeRFC3986(Consumer.Secret);
toksec := TOAuthUtil.urlEncodeRFC3986(Token.Secret);
verifsec := TOAuthUtil.urlEncodeRFC3986(Token.Verifier);
consec := consec + '&' + toksec + '&' + verifsec;
Result := Base64Encode(EncryptHMACSha1(Request.BaseString,
consec))
end
I don't know where insert the verifier. but this ( consec + '&' +
toksec + '&' + verifsec ), didn't work.
I only need to know how put this verifier into this code above.
here you have all unit
http://oauthdelphi.svn.sourceforge.net/viewvc/oauthdelphi/OAuth.pas?revision=2&content-type=text%2Fplain
Any idea?
Thanks,
Zed.
> I think your oauth library's original lack of verifier support is the problem here. When you exclude the verifier, your signature is valid. But when you include the verifier, it breaks the signature. The only time you ever include the verifier is when requesting access, so everything works until then. It's as if your oauth library has a hard-coded signature creation process that was never taught how to include the verifier. So it just ignores it. That's my guess.
after some debugging I realize it only uses consumer secret and token
secrect, this works fine in the first step ( request_token ).
if Token <> nil then
begin
consec := TOAuthUtil.urlEncodeRFC3986(Consumer.Secret);
toksec := TOAuthUtil.urlEncodeRFC3986(Token.Secret);
consec := consec + '&' + toksec;
Result := Base64Encode(EncryptHMACSha1(Request.BaseString,
consec))
end
I changed to:
if Token <> nil then
begin
consec := TOAuthUtil.urlEncodeRFC3986(Consumer.Secret);
toksec := TOAuthUtil.urlEncodeRFC3986(Token.Secret);
verifsec := TOAuthUtil.urlEncodeRFC3986(Token.Verifier);
consec := consec + '&' + toksec + '&' + verifsec;
Result := Base64Encode(EncryptHMACSha1(Request.BaseString,
consec))
end
I don't know where insert the verifier. but this ( consec + '&' +
toksec + '&' + verifsec ), didn't work.
I only need to know how put this verifier into this code above.
here you have all unit
http://oauthdelphi.svn.sourceforge.net/viewvc/oauthdelphi/OAuth.pas?revision=2&content-type=text%2Fplain
Any idea?
Thanks,
Zed.
Eric (etsykit)
Aug 6, 2010, 5:43:43 PM8/6/10
to etsy-...@googlegroups.com
Wow I've never looked at Delphi before but here goes... I think you
need to change 3 things.
need to change 3 things.
1. I think you need to put your oauth_verifier into that FParameters list.
2. In the TOAuthRequest.Sign_Request procedure, it looks like
FParameters.Sort was commented out? It seems like you should put that
back in, so that FParameters gets sorted prior to signing.
3. I think this code that you changed was correct to begin with; so
change it back to this:
consec := consec + '&' + toksec;
That's about all I can figure out without becoming a Delphi programmer :P
Reply all
Reply to author
Forward
0 new messages