OAuth from a Windows RT application.

[Mitch Gordon]

Hi, 

I'm creating a Windows RT application which accesses the Springpad API.  Since the functionality for the RT platform is restricted, I am unable to compile against any OAuth library for .Net that I have been able to find.  I am able to get a request token, send the user to authorize the application and my callback is being called with the response token in the reply.  However, when I try to obtain an access token, I keep getting a 403 response from the server.  I am sending a URL such as below and signing it with the same algorithm as my other requests, but I'm signing this one with the request token instead of the client secret.  I am passing no headers and using a GET.

http://springpad.com/api/oauth-access-token?oauth_consumer_key%3Dmy_consumer_key%26oauth_token%3Dmy_request_token%26oauth_nonce%3D646374060%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1381946544%26oauth_version%3D1.0&oauth_signature=rTM%2BbS9tS3yCc1Wr%2FvkBUqqrIw8%3D

Any help with missing headers or querystring values or an improper approach to signing would be appreciated.

Mitch

[Chuck Garofalo]

Hi Mitch,

It looks like you are url encoding the entire query string including the "=" and "&" except in the case of the oauth_signature.  If that isn't the issue can you give me some more information about your response?  Is there anything more specific in the error?

Regards,

Chuck

[Mitch Gordon]

Thanks for the response, Chuck.  After correcting the url encoding, I'm getting a 401 with an additional querystring parameter returned to me, "oauth_problem=signature_invalid".  I have tried signing the request with the request token, alone, and also using "MyRequestTokent&MyConsumerSecret".  

On Wednesday, October 16, 2013 2:08:23 PM UTC-4, Mitch Gordon wrote:

[Mitch Gordon]

I guess my question, here, is what should the key material be when signing the request?

On Wednesday, October 16, 2013 2:08:23 PM UTC-4, Mitch Gordon wrote:

[Chuck Garofalo]

Hi Mitch,

Sometimes it is due to the timestamp being off.  Are you sure that you are properly setting that?

Chuck

[Mitch Gordon]

I'm quite certain the issue isn't the timestamp.  I have not seen a definitive example or instruction concerning the actual key that should be used to when signing this particular request.  The documentation states that it should be signed with the request key, but digging into the sample python code reveals that the actual key is a couple of values concatenated with a '&'.  One of these values, I assume, is the request key but what is the other and in what order? 

[Mitch Gordon]

Ok, so I figured this out for the call to get an access token.  The key material should be CONSUMER_SECRET + "&" + REQUEST_TOKEN_SECRET.  However, after obtaining an access token, using key material of CONSUMER_SECRET + "&" + ACCESS_TOKEN_SECRET does not work.  Any help constructing this key material value would be appreciated.

Mitch

[szie...@springpartners.com]

Hi Mitch,

could you please specify what do you mean with "does not work"? What is the error message / response and how does your request look like?

Best,

Sven

[Mitch Gordon]

Sven,

I have tries several combinations of tokens and secrets, but continually receive a 403 response with a message "Invalid Oauth Signature" and "Code 511".  I have verified the string that is being signed and I'm using the same algorithm to calculate the signature for all of my calls differing only the key material that is used to generate the signature.  I feel pretty sure the problem is in using an incorrect string for the key.  I would appreciate any insight you could give on calculating the correct key value for siging a request.  My request looks like the following:

http://springpad.com/api/users/me/blocks?type=workbook&oauth_consumer_key=myConsumerKey&oauth_nonce=772837922&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1382805222&oauth_token=my AccessToken&oauth_version=1.0&oauth_signature=RsNGZKA8lxyQnHVyN7dE%2FtX4QYw%3D"

[szie...@springpartners.com]

Mitch,

do you use any kind of OAuth library, or do you sign the requests on your own? Could you please post some example code of how you construct your URL and when do you do the signing?

I also want to mention that you should add two headers to your GET request:

     "Content-Type": "application/json; charset=UTF-8"

    "X-Spring-Api-Version": "7.0"

Maybe that two will already help or result in another error message?

Best,

Sven