My OAuth request signature differs from my service provider's one
https://stackoverflow.com/questions/4210759
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm developing an app using OAuth1.0a for iPad.
My problem is that I can't get the right signature for my request_token request. The service I want to connect with has a debugging tool that allows to check the signature you should have depending on your OAuth parameters.
The result is :
i get the right signature base code
i get different signatures
According to my understanding of OAuth, this means that :
my signature algorithm is bugged (HMAC-SHA1) (but I get it from a 3rd-party : https://github.com/jdg/oauthconsumer/tree/master/Crytpo/)
the service provider is wrong
Is there any free tool, possibly online, that can build a signature from a signature base code and a key to check who's right and who's wrong ?
Thanks for your help
Solution 3
I've figured out what my problem was, my consumer key contains special characters ('+' and '=') and with these characters, the signature from my provider and from the OAuth iOS framework are different.
I've tried to take a look at the RFC to try to decide who was right but couldn't make a decision. So i'm just gonna try to hack the OAuth code to make it work with my provider. I'll share the trick on this page once I've found it.
So just be aware that special characters encoding might be tricky, and if you have an opinion about how special characters should be encoded to sign your signature base, feel free to share.
OTHER TIPS
Why not just use all of OAuthConsumer rather than just the HMAC-SHA1 component? It's well used, well tested code that is used in a number of different apps. I'd say that OAuthConsumer is "known good."
It seems unlikely that your service provider would be wrong (unless you're the only customer).
This leaves how you're using the crypto code.
Common problems that I've seen with OAuth signatures:
- Not sorting the parameters
- Missing out seemingly unimportant parameters
- Not separating the parameters from the base URL
- Using the wrong HTTP method
- Redirects or aliases. You connect to server.com but the remote side thinks of itself as api.server.com
One other thing you could do is use the same client code to connect another OAuth service, Twitter for example. If your code reliably produces the correct signature for Twitter then it's likely that it would do the right thing for any other service. This would (likely) mean that the problem was, as you suggest, with your service. I say "likely" as each OAuth implementation seems to have its own quirks.
This is unlikely to be the problem, but try using the iOS built in HMAC method to generate your SHA:
What's more likely is that your signature base string is actually wrong. Have you confirmed your base string is spec compliant? There's a good interactive tool you can use to check your request here:
http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iv-signing-requests/
