HELP: Invalid signature when obtaining a request token
487 views
Skip to first unread message
Andong
Mar 31, 2011, 1:00:24 PM3/31/11
to FatSecret Platform API
I am working on a toolkit to remind fatsecret users to input their
dietary intake on android phone. So the first thing I need to do is to
implement the 3-legged OAuth authentication. However, I met the
invalid signature error when obtaining a request token.
Basically, I use the fatsecretapi to sign the baseString. What I've
modified is only to add one line to add the callback url in
generateSignature function:
parameters.put(OAUTH_CALLBACK, callbackUrl);
An example of the baseString I got is:
POST&http%3A%2F%2Fwww.fatsecret.com%2Foauth
%2Frequest_token&oauth_callback%3Dandroidhealth%253A%252F
%252Fcom.health.addDataStore%252F%26oauth_consumer_key
%3Dd37e0bb2199a4505a397171f701e3273%26oauth_nonce
%3De697f5ae2e0a44f2a012e70a7a1cae51%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1301590491%26oauth_version%3D1.0
To sign it, the key I used is
String secret = consumerSecret + "&";
An example of the signature is
Gq5JzFL+0ehcxK+OrwH03Sg9sQ4=
Based on that, I post the url (url = result.getNormalizedUrl()
+"?"+result.getNormalizedRequestParameters()+ "&" + "oauth_signature"
+ "=" + URLEncoder.encode(result.getSignature(), "utf-8");), e.g.,
url:http://www.fatsecret.com/oauth/request_token?
oauth_callback=androidhealth%3A%2F%2Fcom.health.addDataStore
%2F&oauth_consumer_key=d37e0bb2199a4505a397171f701e3273&oauth_nonce=e697f5ae2e0a44f2a012e70a7a1cae51&oauth_signature_method=HMAC-
SHA1&oauth_timestamp=1301590491&oauth_version=1.0&oauth_signature=tInl7W8oEBO1a5d7pT3EEzW6SQY
%3D
And then the error returns:
400 bad request
invalid signature: tInl7W8oEBO1a5d7pT3EEzW6SQY%3D
I try to find the bug but failed. So is anyone can help me on this?
Sincerely,
Andong
dietary intake on android phone. So the first thing I need to do is to
implement the 3-legged OAuth authentication. However, I met the
invalid signature error when obtaining a request token.
Basically, I use the fatsecretapi to sign the baseString. What I've
modified is only to add one line to add the callback url in
generateSignature function:
parameters.put(OAUTH_CALLBACK, callbackUrl);
An example of the baseString I got is:
POST&http%3A%2F%2Fwww.fatsecret.com%2Foauth
%2Frequest_token&oauth_callback%3Dandroidhealth%253A%252F
%252Fcom.health.addDataStore%252F%26oauth_consumer_key
%3Dd37e0bb2199a4505a397171f701e3273%26oauth_nonce
%3De697f5ae2e0a44f2a012e70a7a1cae51%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1301590491%26oauth_version%3D1.0
To sign it, the key I used is
String secret = consumerSecret + "&";
An example of the signature is
Gq5JzFL+0ehcxK+OrwH03Sg9sQ4=
Based on that, I post the url (url = result.getNormalizedUrl()
+"?"+result.getNormalizedRequestParameters()+ "&" + "oauth_signature"
+ "=" + URLEncoder.encode(result.getSignature(), "utf-8");), e.g.,
url:http://www.fatsecret.com/oauth/request_token?
oauth_callback=androidhealth%3A%2F%2Fcom.health.addDataStore
%2F&oauth_consumer_key=d37e0bb2199a4505a397171f701e3273&oauth_nonce=e697f5ae2e0a44f2a012e70a7a1cae51&oauth_signature_method=HMAC-
SHA1&oauth_timestamp=1301590491&oauth_version=1.0&oauth_signature=tInl7W8oEBO1a5d7pT3EEzW6SQY
%3D
And then the error returns:
400 bad request
invalid signature: tInl7W8oEBO1a5d7pT3EEzW6SQY%3D
I try to find the bug but failed. So is anyone can help me on this?
Sincerely,
Andong
Len
Mar 31, 2011, 9:12:04 PM3/31/11
to FatSecret Platform API
Hi Andong,
On the surface that signature looks Ok. Is it possible that you're
posting additional form data that hasn't been included in the
signature or that you're sending a GET instead of a POST?
We'll have a further look into it at our end.
Sure users will appreciate what you're doing so thanks for your
patience.
Len
> %2F&oauth_consumer_key=d37e0bb2199a4505a397171f701e3273&oauth_nonce=e697f5ae2e0a44f2a012e70a7a1cae51&oauth_signature_method=HMAC-
> SHA1&oauth_timestamp=1301590491&oauth_version=1.0&oauth_signature=tInl7W8oEBO1a5d7pT3EEzW6SQY
On the surface that signature looks Ok. Is it possible that you're
posting additional form data that hasn't been included in the
signature or that you're sending a GET instead of a POST?
We'll have a further look into it at our end.
Sure users will appreciate what you're doing so thanks for your
patience.
Len
> SHA1&oauth_timestamp=1301590491&oauth_version=1.0&oauth_signature=tInl7W8oEBO1a5d7pT3EEzW6SQY
John
Mar 31, 2011, 11:25:22 PM3/31/11
to FatSecret Platform API
Hi Andong,
It looks like we have a problem on our end (related to our server
configuration). At present our 3-Legged OAuth request token and auth
token URLs (i.e. http://www.fatsecret.com/oauth/request_token and
http://www.fatsecret.com/oauth/access_token) are only supporting the
HTTP GET method.
We’ll work to get POSTs working as documented. If you wouldn't mind
please use the HTTP GET method at this stage.
Please note that HTTP POSTs are fine to use with other API requests –
it is only the 3-Legged URL's that is having the issue.
If you could please confirm what Content Type you use when you seek to
submit using HTTP post. Is it "application/x-www-form-urlencoded"?
John
The FatSecret Platform Team
It looks like we have a problem on our end (related to our server
configuration). At present our 3-Legged OAuth request token and auth
token URLs (i.e. http://www.fatsecret.com/oauth/request_token and
http://www.fatsecret.com/oauth/access_token) are only supporting the
HTTP GET method.
We’ll work to get POSTs working as documented. If you wouldn't mind
please use the HTTP GET method at this stage.
Please note that HTTP POSTs are fine to use with other API requests –
it is only the 3-Legged URL's that is having the issue.
If you could please confirm what Content Type you use when you seek to
submit using HTTP post. Is it "application/x-www-form-urlencoded"?
John
The FatSecret Platform Team
Andong
Apr 1, 2011, 8:34:37 PM4/1/11
to FatSecret Platform API
Thanks all,
I change to GET and pass the first step -- obtaining the request
token, and then I GET http://www.fatsecret.com/oauth/authorize?oauth_token=xxxxxxxxxxxxxxx
(this is the request token I got in the first step). (Do I need to
sign this request? Do I need to use the request_token_secret?)
I run the unsigned request and open a web which shows the
authentication page but with errors:
"This page contains the following errors:
error on line 65 at column 22: Opening and ending tag mismatch: tr
line 0 and table
Below is a rendering of the page up to the first error."
Then I sign in and it call back to my android app. So I get the
verifier. I use this verifier and the request token gotten from the
fist step to run http GET again, the response is null. So what's the
error right now? Thanks!
Andong
On Mar 31, 11:25 pm, John <j...@fatsecret.com> wrote:
> Hi Andong,
>
> It looks like we have a problem on our end (related to our server
> configuration). At present our 3-Legged OAuth request token and auth
> token URLs (i.e.http://www.fatsecret.com/oauth/request_tokenandhttp://www.fatsecret.com/oauth/access_token) are only supporting the
I change to GET and pass the first step -- obtaining the request
token, and then I GET http://www.fatsecret.com/oauth/authorize?oauth_token=xxxxxxxxxxxxxxx
(this is the request token I got in the first step). (Do I need to
sign this request? Do I need to use the request_token_secret?)
I run the unsigned request and open a web which shows the
authentication page but with errors:
"This page contains the following errors:
error on line 65 at column 22: Opening and ending tag mismatch: tr
line 0 and table
Below is a rendering of the page up to the first error."
Then I sign in and it call back to my android app. So I get the
verifier. I use this verifier and the request token gotten from the
fist step to run http GET again, the response is null. So what's the
error right now? Thanks!
Andong
On Mar 31, 11:25 pm, John <j...@fatsecret.com> wrote:
> Hi Andong,
>
> It looks like we have a problem on our end (related to our server
> configuration). At present our 3-Legged OAuth request token and auth
John
Apr 4, 2011, 1:45:35 AM4/4/11
to FatSecret Platform API
Step 1 returns an "oauth_token" and "oauth_token_secret" and it
appears you have correctly and successfully completed Step 2 (i.e.
http://www.fatsecret.com/oauth/authorize?oauth_token=xxxxxxxxxxxxxxx)
which returns a verifier code. Just to clarify you do not need to sign
this request.
NOTE: We have looked into the authorize page and it was returning
invalid mark-up and this will be amended soon. Thanks for pointing
this out.
As for Step 3, I'm not exactly sure why you are getting a null
response. Are you not getting a 400 bad request? At this step you need
to include the “oauth_token” from Step 1 and the verifier code as
“oauth_verifier” from Step 2 into the parameters sent in the GET, and
sign the request using your consumer key secret + "&" + the
“oauth_token_secret” from Step 1.
I hope this helps,
John.
On Apr 2, 10:34 am, Andong <zad...@gmail.com> wrote:
> Thanks all,
>
> I change to GET and pass the first step -- obtaining the request
> token, and then I GEThttp://www.fatsecret.com/oauth/authorize?oauth_token=xxxxxxxxxxxxxxx
appears you have correctly and successfully completed Step 2 (i.e.
http://www.fatsecret.com/oauth/authorize?oauth_token=xxxxxxxxxxxxxxx)
which returns a verifier code. Just to clarify you do not need to sign
this request.
NOTE: We have looked into the authorize page and it was returning
invalid mark-up and this will be amended soon. Thanks for pointing
this out.
As for Step 3, I'm not exactly sure why you are getting a null
response. Are you not getting a 400 bad request? At this step you need
to include the “oauth_token” from Step 1 and the verifier code as
“oauth_verifier” from Step 2 into the parameters sent in the GET, and
sign the request using your consumer key secret + "&" + the
“oauth_token_secret” from Step 1.
I hope this helps,
John.
On Apr 2, 10:34 am, Andong <zad...@gmail.com> wrote:
> Thanks all,
>
> I change to GET and pass the first step -- obtaining the request
> (this is the request token I got in the first step). (Do I need to
> sign this request? Do I need to use the request_token_secret?)
>
> I run the unsigned request and open a web which shows the
> authentication page but with errors:
> "This page contains the following errors:
> error on line 65 at column 22: Opening and ending tag mismatch: tr
> line 0 and table
> Below is a rendering of the page up to the first error."
>
> Then I sign in and it call back to my android app. So I get the
> verifier. I use this verifier and the request token gotten from the
> fist step to run http GET again, the response is null. So what's the
> error right now? Thanks!
>
> Andong
>
> On Mar 31, 11:25 pm, John <j...@fatsecret.com> wrote:
>
> > Hi Andong,
>
> > It looks like we have a problem on our end (related to our server
> > configuration). At present our 3-Legged OAuth request token and auth
> > token URLs (i.e.http://www.fatsecret.com/oauth/request_tokenandhttp://www.fatsecret.c...) are only supporting the
> sign this request? Do I need to use the request_token_secret?)
>
> I run the unsigned request and open a web which shows the
> authentication page but with errors:
> "This page contains the following errors:
> error on line 65 at column 22: Opening and ending tag mismatch: tr
> line 0 and table
> Below is a rendering of the page up to the first error."
>
> Then I sign in and it call back to my android app. So I get the
> verifier. I use this verifier and the request token gotten from the
> fist step to run http GET again, the response is null. So what's the
> error right now? Thanks!
>
> Andong
>
> On Mar 31, 11:25 pm, John <j...@fatsecret.com> wrote:
>
> > Hi Andong,
>
> > It looks like we have a problem on our end (related to our server
> > configuration). At present our 3-Legged OAuth request token and auth
Andong
Apr 4, 2011, 5:28:37 PM4/4/11
to FatSecret Platform API
Now the problem is Step 3, the response is "400 Bad Request" and
"Invalid signature: lF7iltjI74lpeOPpVPC%2Fi6elIbg%3D". I use the
similar functions in FatSecretAPI to test Step 3. The secret is my
consumer_secret + "&" + oauth_token_secret (Step 1).
signature base: GET&http%3A%2F%2Fwww.fatsecret.com%2Foauth
%2Faccess_token&oauth_consumer_key
%3Dd37e0bb2199a4505a397171f701e3273%26oauth_nonce
%3Dc5c089dd47df4fa8a38d0b4fdaa47487%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1301951213%26oauth_token
%3D6752b6adadac4dd08665e91783bc0fa7%26oauth_verifier
%3D8808231%26oauth_version%3D1.0
Did I miss any parameter or other error?
Thanks,
Andong
On Apr 4, 1:45 am, John <j...@fatsecret.com> wrote:
> Step 1 returns an "oauth_token" and "oauth_token_secret" and it
> appears you have correctly and successfully completed Step 2 (i.e.http://www.fatsecret.com/oauth/authorize?oauth_token=xxxxxxxxxxxxxxx)
"Invalid signature: lF7iltjI74lpeOPpVPC%2Fi6elIbg%3D". I use the
similar functions in FatSecretAPI to test Step 3. The secret is my
consumer_secret + "&" + oauth_token_secret (Step 1).
signature base: GET&http%3A%2F%2Fwww.fatsecret.com%2Foauth
%2Faccess_token&oauth_consumer_key
%3Dd37e0bb2199a4505a397171f701e3273%26oauth_nonce
%3Dc5c089dd47df4fa8a38d0b4fdaa47487%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1301951213%26oauth_token
%3D6752b6adadac4dd08665e91783bc0fa7%26oauth_verifier
%3D8808231%26oauth_version%3D1.0
Did I miss any parameter or other error?
Thanks,
Andong
On Apr 4, 1:45 am, John <j...@fatsecret.com> wrote:
> Step 1 returns an "oauth_token" and "oauth_token_secret" and it
John
Apr 4, 2011, 8:51:59 PM4/4/11
to FatSecret Platform API
Hi Andong,
It looks like you are 99% of the way there!
I can confirm that your signature base string is spot on, and so that
means that somehow you are signing this with the wrong key.
However you appear to be doing the right thing concatenating your
consumer secret and the token secret with the '&' character.
All I can suggest at this stage is to try this OAuth testing tool
found here:
https://github.com/mashery/OAuth-1.0-JavaScript-Testing-Tool
Verify that you can get the 3-legged OAuth to work and then look at
your Step 3 signing to see if there are any differences.
Some quick hinters using this tool:
- for Step 1 remember to add the oauth_callback parameter
- for Step 3 remember to add the oauth_verifier paramter and fill in
the Access Token and Secret. Also hit the refresh link for the
timestamp before generating signed call.
John
The FatSecret Platform Team
It looks like you are 99% of the way there!
I can confirm that your signature base string is spot on, and so that
means that somehow you are signing this with the wrong key.
However you appear to be doing the right thing concatenating your
consumer secret and the token secret with the '&' character.
All I can suggest at this stage is to try this OAuth testing tool
found here:
https://github.com/mashery/OAuth-1.0-JavaScript-Testing-Tool
Verify that you can get the 3-legged OAuth to work and then look at
your Step 3 signing to see if there are any differences.
Some quick hinters using this tool:
- for Step 1 remember to add the oauth_callback parameter
- for Step 3 remember to add the oauth_verifier paramter and fill in
the Access Token and Secret. Also hit the refresh link for the
timestamp before generating signed call.
John
The FatSecret Platform Team
Andong
Apr 14, 2011, 12:53:04 PM4/14/11
to FatSecret Platform API
Thanks, John
Your tool is quite helpful for me to find the bug. By the way, do you
know how many active users are using Android to log their diet
probably?
Best,
Andong
Your tool is quite helpful for me to find the bug. By the way, do you
know how many active users are using Android to log their diet
probably?
Best,
Andong
Len
Apr 14, 2011, 10:23:18 PM4/14/11
to FatSecret Platform API
Hi Andong,
While the numbers bounce around, there are tens of thousands of active
Android users.
Kind regards,
Len
> > > > > > > > Andong- Hide quoted text -
>
> - Show quoted text -
While the numbers bounce around, there are tens of thousands of active
Android users.
Kind regards,
Len
>
> - Show quoted text -
Reply all
Reply to author
Forward
0 new messages