bannerColor WARNING_YELLOW templateName stackForums

Can someone help me debug this signature_invalid error?

1 post / 0 new
Taylor Buley's picture
Joined: 2010-09-24
Sep 26, 2010
Can someone help me debug this signature_invalid error?

By manually visiting a callback url I am making it past the "Service provider sends user back to consumer" step of the oAuth process, but I cannot manage to make it past the next step. I cannot successfully request an access token, and am getting a signature_invalid error.My code appears to have all the required parameters laid out in the oAuth flow document: /* Required: oauth_consumer_key oauth_signature oauth_signature_method oauth_token oauth_timestamp oauth_verifier */You can see that in the Authorization header below. Using debug techniques laid out by  Paul Lindner here it looks like my application and Linkedin are signing the same string:Response:oauth_problem=signature_invalid& Base string:Base string: GET& header:Authorization: OAuth,oauth_version="1.0",oauth_nonce="54eff90f8852d454ab03c4c66529f535",oauth_timestamp="1285486094",oauth_consumer_key="vcrw48JVnh4JKY6N-ZjkOQZiFI6MR8G6joQdLUXArd5nao0F1726sG65R-yKeRYb",oauth_token="b6ee9756-98bb-41b8-93e6-028e795a81e8",oauth_verifier="97381",oauth_signature_method="HMAC-SHA1",oauth_signature="AN6mLdQ%2FQhATruYzuUuo0qrTh%2FM%3D"URL decoding the string in the response it looks exactly like the base string:GET&'s causing the signature_invalid? Taylor Singletary's common issues with oAuth and the Slideshare presentation discuss a common mistake that could be causing this: non-strict signing of access request without consumer key secret and oauth_token_secret. I've included this but still seem to be hitting a wall.For reference, here's the codeblock I where I build an OAuthRequest object via oauth-php library and try to grab the response: $new_token_for_access_token_request = new OAuthConsumer($_GET['oauth_token'], $_SESSION['oauth_token_secret'], 1); $parameters_for_access_token_request = array("oauth_verifier" => $_REQUEST['oauth_verifier']);$accObj = OAuthRequest::from_consumer_and_token($oauthc, $new_token_for_access_token_request, "GET", $oauth['linkedin']['accesstokenurl'], $parameters_for_access_token_request);$accObj->sign_request($sig_method, $oauthc, (urlencode($oauth['linkedin']['consumersecret']) . "&" . urlencode($_SESSION['oauth_token_secret']))); $toHeader = $accObj->to_header(""); $output = curl_data($accObj->to_url(), NULL, $toHeader);Here's the curl_dataI() cURL request code that fetches the response:  function curl_data($url, $post_data = null, $toHeader = null) {    $ch = curl_init();    if (defined("CURL_CA_BUNDLE_PATH")) curl_setopt($ch, CURLOPT_CAINFO, CURL_CA_BUNDLE_PATH);   curl_setopt($ch, CURLOPT_HTTPHEADER, array($toHeader));    curl_setopt($ch, CURLOPT_URL, $url);    curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30);    curl_setopt($ch, CURLOPT_TIMEOUT, 30);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);    if (isset($post_data)) {      curl_setopt($ch, CURLOPT_POST, 1);      curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);    }    echo $response = curl_exec($ch);    $http_status = curl_getinfo($ch, CURLINFO_HTTP_CODE);    $last_api_call = $url;    curl_close ($ch);    return $response;  }