Can someone help me debug this signature_invalid error?

1 post / 0 new
Taylor Buley's picture
Joined: 2010-09-24
Sep 26, 2010
Can someone help me debug this signature_invalid error?

By manually visiting a callback url I am making it past the "Service provider sends user back to consumer" step of the oAuth process, but I cannot manage to make it past the next step. I cannot successfully request an access token, and am getting a signature_invalid error.My code appears to have all the required parameters laid out in the oAuth flow document: /* Required: oauth_consumer_key oauth_signature oauth_signature_method oauth_token oauth_timestamp oauth_verifier */You can see that in the Authorization header below. Using debug techniques laid out by  Paul Lindner here it looks like my application and Linkedin are signing the same string:Response:oauth_problem=signature_invalid&oauth_problem_advice=com.linkedin.security.auth.pub.LoginDeniedInvalidAuthTokenException%20while%20obtaining%20request%20token%20for%20%3AGET%26https%253A%252F%252Fapi.linkedin.com%252Fuas%252Foauth%252FaccessToken%26oauth_consumer_key%253Dvcrw48JVnh4JKY6N-ZjkOQZiFI6MR8G6joQdLUXArd5nao0F1726sG65R-yKeRYb%2526oauth_nonce%253D54eff90f8852d454ab03c4c66529f535%2526oauth_signature_method%253DHMAC-SHA1%2526oauth_timestamp%253D1285486094%2526oauth_token%253Db6ee9756-98bb-41b8-93e6-028e795a81e8%2526oauth_verifier%253D97381%2526oauth_version%253D1.0%0AOAU%3Avcrw48JVnh4JKY6N-ZjkOQZiFI6MR8G6joQdLUXArd5nao0F1726sG65R-yKeRYb%7Cb6ee9756-98bb-41b8-93e6-028e795a81e8%7C%2A01%7C%2A01%3A1285486094%3AAN6mLdQ%2FQhATruYzuUuo0qrTh%2FM%3D Base string:Base string: GET&https%3A%2F%2Fapi.linkedin.com%2Fuas%2Foauth%2FaccessToken&oauth_consumer_key%3Dvcrw48JVnh4JKY6N-ZjkOQZiFI6MR8G6joQdLUXArd5nao0F1726sG65R-yKeRYb%26oauth_nonce%3D54eff90f8852d454ab03c4c66529f535%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1285486094%26oauth_token%3Db6ee9756-98bb-41b8-93e6-028e795a81e8%26oauth_verifier%3D97381%26oauth_version%3D1.0Authorization header:Authorization: OAuth,oauth_version="1.0",oauth_nonce="54eff90f8852d454ab03c4c66529f535",oauth_timestamp="1285486094",oauth_consumer_key="vcrw48JVnh4JKY6N-ZjkOQZiFI6MR8G6joQdLUXArd5nao0F1726sG65R-yKeRYb",oauth_token="b6ee9756-98bb-41b8-93e6-028e795a81e8",oauth_verifier="97381",oauth_signature_method="HMAC-SHA1",oauth_signature="AN6mLdQ%2FQhATruYzuUuo0qrTh%2FM%3D"URL decoding the string in the response it looks exactly like the base string:GET&https%3A%2F%2Fapi.linkedin.com%2Fuas%2Foauth%2FaccessToken&oauth_consumer_key%3Dvcrw48JVnh4JKY6N-ZjkOQZiFI6MR8G6joQdLUXArd5nao0F1726sG65R-yKeRYb%26oauth_nonce%3D54eff90f8852d454ab03c4c66529f535%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1285486094%26oauth_token%3Db6ee9756-98bb-41b8-93e6-028e795a81e8%26oauth_verifier%3D97381%26oauth_version%3D1.0What's causing the signature_invalid? Taylor Singletary's common issues with oAuth and the Slideshare presentation discuss a common mistake that could be causing this: non-strict signing of access request without consumer key secret and oauth_token_secret. I've included this but still seem to be hitting a wall.For reference, here's the codeblock I where I build an OAuthRequest object via oauth-php library and try to grab the response: $new_token_for_access_token_request = new OAuthConsumer($_GET['oauth_token'], $_SESSION['oauth_token_secret'], 1); $parameters_for_access_token_request = array("oauth_verifier" => $_REQUEST['oauth_verifier']);$accObj = OAuthRequest::from_consumer_and_token($oauthc, $new_token_for_access_token_request, "GET", $oauth['linkedin']['accesstokenurl'], $parameters_for_access_token_request);$accObj->sign_request($sig_method, $oauthc, (urlencode($oauth['linkedin']['consumersecret']) . "&" . urlencode($_SESSION['oauth_token_secret']))); $toHeader = $accObj->to_header("http://api.linkedin.com"); $output = curl_data($accObj->to_url(), NULL, $toHeader);Here's the curl_dataI() cURL request code that fetches the response:  function curl_data($url, $post_data = null, $toHeader = null) {    $ch = curl_init();    if (defined("CURL_CA_BUNDLE_PATH")) curl_setopt($ch, CURLOPT_CAINFO, CURL_CA_BUNDLE_PATH);   curl_setopt($ch, CURLOPT_HTTPHEADER, array($toHeader));    curl_setopt($ch, CURLOPT_URL, $url);    curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30);    curl_setopt($ch, CURLOPT_TIMEOUT, 30);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);    if (isset($post_data)) {      curl_setopt($ch, CURLOPT_POST, 1);      curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);    }    echo $response = curl_exec($ch);    $http_status = curl_getinfo($ch, CURLINFO_HTTP_CODE);    $last_api_call = $url;    curl_close ($ch);    return $response;  }