Google GData Java 2-legged OAuth signature verification fails

StackOverflow https://stackoverflow.com/questions/12252760

Question

My Consumer Code is as follows,

GoogleOAuthParameters oauthParameters = new GoogleOAuthParameters();

    oauthParameters.setOAuthConsumerKey(CONSUMER_KEY);
    oauthParameters.setOAuthConsumerSecret(CONSUMER_SECRET);
    oauthParameters.setOAuthType(OAuthType.TWO_LEGGED_OAUTH);

    OAuthHmacSha1Signer signer = new OAuthHmacSha1Signer();
    GoogleService service = new GoogleService("oauthclient", "sampleapp");
    service.setOAuthCredentials(oauthParameters, signer);

    String param = "Hellow World";
    String baseString = APP_SERVER + "services/OAuthTest/greet"+"?xoauth_requestor_id="+USER_NAME+"&name="+ param;

    URL feedUrl = new URL(baseString);
    request = service.createFeedRequest(feedUrl);
    request.execute();
    convertStreamToString(request.getResponseStream());

And my OAuth Server Side code is as follows,

        GoogleOAuthParameters oauthParameters = new GoogleOAuthParameters();
        oauthParameters.setOAuthConsumerKey(consumerKey);
        oauthParameters.setOAuthConsumerSecret(secretKey);
        oauthParameters.setOAuthNonce(nonce);
        oauthParameters.setOAuthTimestamp(timestamp);
        oauthParameters.setOAuthSignatureMethod(signatureMethod);

        validateTimestampAndNonce(otimestamp, nonce);

        OAuthHmacSha1Signer signer = new OAuthHmacSha1Signer();
        String baseString = OAuthUtil.getSignatureBaseString(baseUrl,httpMethod, baseParameters);
        String signature = signer.getSignature(baseString, oauthParameters);

        return signature.equals(oauthParams.getOauthSignature())

Above signature validation fails, I have a no clue on what is wrong. Please help.

Was it helpful?

Solution

I found the reason for this. OAuth 1.0a spec section 9.1.2 defines that Signature Base String includes the request absolute URL. So if this is different at the server side than at the consumer side, then the signature verification fails. So in my case, at the consumer end I was using

127.0.0.1

for the host name of the Request URL and at the server end I was using

localhost

as the host name which is wrong. After changing the consumer to use localhost as the host name I could get the signature verification successful.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top