bannerColor WARNING_YELLOW templateName stackForums

oauth_problem=signature_invalid

21 posts / 0 new
Last post
Nick Carter's picture
Joined: 2011-04-08
Apr 8, 2011
oauth_problem=signature_invalid

I am using an OAUTH library published by Scott Desapio (http://scottdesapio.com/VBScriptOAuth/) originally for Twitter.  I have successfully used it for creating a Twitter API.  So, for LinkedIN, i simply changed the endpoints and my API & Consumer keys and expected that it would work.  It works up until it tries to https://api.linkedin.com/uas/oauth/accessToken and then it gets the following response:oauth_problem=signature_invalid&oauth_problem_advice=com.linkedin.security.auth.pub.LoginDeniedInvalidAuthTokenException%20while%20obtaining%20request%20token%20for%20%3APOST%26https%253A%252F%252Fapi.linkedin.com%252Fuas%252Foauth%252FaccessToken%26oauth_consumer_key%253Dk_Xo7Wx75pgLlZSYovAWofJEDLs2s9r6csSzKGtlOWyQSaRybu9nq5JGS5jiCZ45%2526oauth_nonce%253D1359909368%2526oauth_signature_method%253DHMAC-SHA1%2526oauth_timestamp%253D1302296412%2526oauth_token%253Db2aee560-7102-4f30-8c62-13064ef91e52%2526oauth_verifier%253D68867%2526oauth_version%253D1.0%0AOAU%3Ak_Xo7Wx75pgLlZSYovAWofJEDLs2s9r6csSzKGtlOWyQSaRybu9nq5JGS5jiCZ45%7Cb2aee560-7102-4f30-8c62-13064ef91e52%7C%2A01%7C%2A01%3A1302296412%3AHNE%2F5p8072i%2FW9oXNkD%2FIqSllg4%3DAny idea why?  What is different in the signing between Twitter and LinkedIn?Thanks,Nick

Kirsten Hunter's picture
Joined: 2011-06-30
Apr 12, 2011

I'm not familiar with exactly how the Twitter stream works, but you might check on whether the oauth_verifier is being included in the signature generation correctly.

Nick Carter's picture
Joined: 2011-04-08
Apr 13, 2011

It is being included in the signature generation, but "correctly" could be the question.  Are there more than one correct ways to do it?  If not, then it would not be reasonable to believe that the code works for Twitter but not LinkedIN.  If there are more than one way to handle the oauth_verifier in a signature, please do tell what they are and which LinkedIN requires.

Kirsten Hunter's picture
Joined: 2011-06-30
Apr 13, 2011

Having just gone through this exercise in C#, it occurs to me to point out that we require that the authentication to be sent in the headers for POST queries.  It may be that Twitter accepts query string authentication parameters, but our API requires that the oauth parameters be sent in an Authentication header as discussed in this OAuth documentation. Note that this is a single header, "Authorization", which is a comma delimited string with the oauth information.  If you examine your headers and this isn't there, that may be the issue.

Nick Carter's picture
Joined: 2011-04-08
Apr 20, 2011

I changed my request to add the request header "Authorization" with the following value but I am still getting the same error.OAuth realm="http://api.linkedin.com/",  oauth_consumer_key="k_Xo7Wx75pgLlZSYovAWofJEDLs2s9r6csSzKGtlOWyQSaRybu9nq5JGS5jiCZ45",  oauth_token="74a39090-c59b-4e50-bb83-f99b263cb485",  oauth_signature_method="HMAC-SHA1",  oauth_signature="P3cgkoQw8N52PiLsApkVI0cWDzA%3D",  oauth_timestamp="1303308194", oauth_nonce="1335902310",  oauth_version="1.0"Help!!!

Nick Carter's picture
Joined: 2011-04-08
Apr 20, 2011

After viewing this slide deck: http://www.slideshare.net/episod/linkedin-oauth-zero-to-hero, I may have identified the problem.  After the Authorize call, I don't get an oauth_token_secret back to use in signing my next request, just the oauth_token and the oauth_verifier. Am I doing something wrong to not receive the secret.  I looked at the URL called back, it only has those two values in the querystring.  No secret.

Kirsten Hunter's picture
Joined: 2011-06-30
Apr 20, 2011

You use the oauth_token_secret from the original request_token call.

Nick Carter's picture
Joined: 2011-04-08
Apr 21, 2011

Ok, I did confirm that the code I was using was not concatenating the oauth_token_secret from the initial tokenRequest with my consumer secret in order to creat the signature hash.  I have corrected that.  But the problem STILL remains.Now, with the signature correctly using both the consumer secret and oauth_token_secret, and with the values put in an "Authorization: ..." header on my POST request to accessToken, I still get the invalid signature response.I'm beginning to wonder how ANYONE gets this to work correctly.  What should I look at next?  I see enough posts like this in the forum to know that it is a common issue, and sadly, I haven't found any yet that have a solution.

Kirsten Hunter's picture
Joined: 2011-06-30
Apr 22, 2011

Actually, people have gotten this to work correctly in almost every case. But you're the first person I've seen asking about the VB library, so this is new ground.  If you can post the full request headers and content and full response headers and content (with the token/keys fuzzed for privacy) we can try to troubleshoot.I know this is frustrating, but it's definitely doable.  Without more information, though, it's tough for us to help.

Kirsten Hunter's picture
Joined: 2011-06-30
Apr 22, 2011

In the meantime, there is one other twitter oauth VB library you might try:http://twittervb.codeplex.com/

Nick Carter's picture
Joined: 2011-04-08
Apr 22, 2011

I did a response.write on about every step to show you the flow.  See image below:

Lee Whitney's picture
Joined: 2011-01-20
Apr 22, 2011

Nick,Developing with OAuth is similiar to using regular expressions.  Both are extremely useful and both are extremely error prone.  That's why you see so many problems on all platforms, not just LI.  It works 100%, but the developer usability sucks.Because of this I would recommend one of the following:1)  Find a VB sample that is fully working end to end, and only requires you to change the key.  Otherwise it's too easy to get into this cycle of tweaking things that "should" be working and still don't.  If you start with something working it's much easier to modify/add to it.2)  Bite the bullet and read the entire OAuth spec.  Setup your code to be able to see exactly what is sent and received for each HTTP message.  Once you know what should be sent and received at every point, it's impossible not to find the problem.(2) is a real pain, but it's what I ended up doing because I couldn't find a turn key example.  Also since so many sites use OAuth it's not a bad thing to invest a little time in.Definiitely option (1) if you can, but I'm just staying try not to stay stuck in the middle of 1 and 2 for too long.

Joined: 2011-07-31
Aug 4, 2011

I was having very similier problems. with invalid signature. Now I see the url your using and it has the query in the URL, I thought you were suppose to post the information?

Igor Venzhyk's picture
Joined: 2011-08-01
Sep 14, 2011

I have the same problem. The problem was reproduced only when I recreated WebConsumer on each request to my site.
When I put instance of WebConsumer in Session or Application all problems are resolved

Jim Meyer's picture
Joined: 2011-10-14
Dec 4, 2011

Nick, did you ever get this to work. I am attempting to do the very same thing with scotdesapio's library.

Joined: 2011-12-13
Dec 27, 2011

I am still getting the same problem when I am using JOAuth with javascript which works for twitter.. Any solution??

Michiel Van Ballegooijen's picture
Joined: 2012-02-17
Feb 29, 2012

Having the same problem. Did anybody get it to work with vbscript already?

Joined: 2012-03-20
Mar 21, 2012

it's combination of consumer key and auth token secret. I just figured that out.
Use: consumerSecret + "&" + tokenSecret

Marina Pogosova's picture
Joined: 2012-05-28
May 29, 2012

Thank you so much! This worked like a charm.

sivagopal manapragada's picture
Joined: 2012-06-27
Jun 28, 2012

that might be problem with callback url iam also getting the same error did got any remedy for your error please reply me sivagopaltech@gmail.com
most of cases social networking sites doesn't allow when localhost/ip is in callback url

Joined: 2011-11-14
Jul 11, 2012

For anyone using the Scott Desapio VBScript library and is finding the same issue I did which is that the requestToken works but the accessToken fails with a signature_invalid error, simply add the following lines of code to the following library files:

/authenticate.asp

Dim strRequestToken : strRequestToken = objOAuth.Get_ResponseValue(OAUTH_TOKEN)
Dim strRequestTokenSecret : strRequestTokenSecret = objOAuth.Get_ResponseValue(OAUTH_TOKEN_SECRET) <---- New Line

Session(OAUTH_TOKEN_REQUEST) = strRequestToken
Session(OAUTH_TOKEN_SECRET) = strRequestTokenSecret <--- New Line

/callback.asp

objOAuth.Parameters.Add "oauth_token", Session(OAUTH_TOKEN_REQUEST)
objOAuth.Parameters.Add "oauth_token_secret", Session(OAUTH_TOKEN_SECRET) <---- New Line

This did the trick straightaway for me. Good luck!