DotNetOpenAuth 4.3 - Changing the default signing behavior
https://stackoverflow.com/questions/21373160
-
03-10-2022 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am using DotNetOpenAuth 4.3 to integrate FitBit into my web application. I was able to authorize users successfully up until a few days ago when I started receiving the following error from FitBit when trying to swap the request token with an access token:
{"errors":[{"errorType":"oauth","fieldName":"oauth_access_token","message":"Invalid signature or token 'PpUuhUBgLXZrLvKQoaS+Tt4Blc4=' or token '4c5623004d03e71094b7a7f0d2ded338'"}],"success":false}
I've searched around and found this thread which I believe matches the problem I am having: https://groups.google.com/forum/#!msg/fitbit-api/ii4pUt4uTNM/mPORlYWqs0wJ
The gist of that thread is that FitBit recently started enforcing that the oauth_signature parameter be signed with the following:
Requests to https://api.fitbit.com/oauth/access_token need to be signed with your application's consumer key and secret and the oauth_token and oauth_verifier received from the authorization callback.
In other words, it looks like we need to sign with 4 parameters. I looked at the source code of DotNetOpenAuth and saw the following method on the OAuth1HmacSha1HttpMessageHandler class (I am using an HmacSha1SigningBindingElement in my ServiceProviderDescription):
protected override byte[] Sign(byte[] signedPayload) {
using (var algorithm = HMACSHA1.Create()) {
algorithm.Key = Encoding.ASCII.GetBytes(this.GetConsumerAndTokenSecretString());
return algorithm.ComputeHash(signedPayload);
}
}
It appears as though this signing behavior only uses two parameters: the consumer and token secret (returned via this.GetConsumerAndTokenSecretString()).
My question is:
Is changing the type of message handler and overriding the behavior of the Sign method the proper way to fix this issue? And if so, is there a way to change the signing behavior of my WebConsumer? I was thinking that I could create a subclass of OAuth1HttpMessageHandlerBase and override this behavior but there does not seem to be a clean way to change the MessageHandler of my web consumer.
Thanks!
No correct solution
