Ask a Question Register Login

php - How to resolve "Invalid signature. Expected signature base string" in OAuth 1.0

373

I'm attempting to get an access token and secret from a site using OAuth. The exchange of request token and request secret goes fine, but when it comes time to get the access tokens I get the error"Invalid signature. Expected signature base string."

Has anyone seen this error before or know what might be wrong? Here is the data I am getting back (afterurldecode-ing it):

Invalid signature. Expected signature base string: POST 
https://www.readability.com/api/rest/v1/oauth/access_token 
oauth_consumer_key=my_consumer_key 
oauth_nonce=d9aff6a0011a633253c5ff9613c6833d79d52cbe 
oauth_signature_method=HMAC-SHA1 
oauth_timestamp=1311186899 
oauth_token=C8GF7D6ytPzQKdZVpy 
oauth_verifier=ncUV4tJSrS 
oauth_version=1.0 
signature=7jUuk6fsEL8XNYxVWcsfGXEreK0%3D
611

Answer

Solution:

As @genesis described, it is pretty painful to get the signature key right, but there are documentation for it, which can be seen on this link http://oauth.net/core/1.0/#encoding_parameters.

The rule of thumbs is when you work with HMAC-SHA1,

  1. Generate signature base string as "Method(POST/GET/etc)"&"encoded-string-for-your-target"&"encoded-string-of-your-oauth-param(consumer key, nonce, signature method, timestamp, token, and version"
  2. The HMAC-SHA1 signature method uses the two secrets client secret and token secret as the HMAC-SHA1 algorithm key. To construct the key, each secret is UTF8-encoded, URL-encoded, and concatenated into a single string using an '&' character as separator even if either secret is empty.
  3. With the Signature Base String as the HMAC-SHA1 text and concatenated secrets as key, the client generates the signature. The HMAC-SHA1 algorithm will generate an octet string as the result. The octet string must be base64-encoded with '=' padding
  4. The calculated signature is added to the request using the 'oauth_signature' parameter. When the signature is verified by the server, this parameter is not included in the signature workflow as it was not part of the Signature Base String signed by the client. When the signature is included in the HTTP request, it must be properly encoded as required by the method used to transmit the parameters.

Source: http://nouncer.com/oauth/authentication.html

193

Answer

Solution:

you can take a look here, it was asked about a week ago. Response:

Getting the OAuth signature stuff exactly right is always a huge pain. You should try hard to make sure the base string your library generates is just like the one the server is expecting. Once that's true, the only way you can screw up is to hmac with the wrong key(s).

139

Answer

Solution:

I can't comment on answers for some reason, but to answer your question in the comment on the answer above, you can use the Oauth playground to see what google wants your base string to look like. http://googlecodesamples.com/oauth_playground/index.php

586

Answer

Solution:

I know this is really old, and this might not help in the slightest, but I got this with something today, and doing arawurlencode() instead ofurlencode() fixed it for me.

577

Answer

Solution:

I was facing that aouth 1.0 problem recently after searching google I found a web service created by someone which generates signature for oauth. It worked for me. link is here. Have a look :)

People are also looking for solutions to the problem: php - How to use dynamic weather forecast and a database of the same on my website?

Source

Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.

Similar questions

Find the answer in similar questions on our website.