OAuth Signature not valid error using Rauth, Python against the Vimeo API

Question

Sorry if this is a noob question but I was trying to test and start using the RAuth python library with Vimeo's API.

I'm using the access token/secret provided on the app page for the app I registered with Vimeo on the developer's site. So I guess the first part of the question is: is that a valid access token/secret or do I need to actually go through the OAuth process despite the fact that I'm trying to access my company's account using this API?

Assuming that's a valid token, then the meat of the question is, given this implementation:

from rauth.session import OAuth1Session

session = OAuth1Session(
                    consumer_key=VIMEO_CLIENTID,
                    consumer_secret=VIMEO_CLIENTSECRET,
                    access_token=VIMEO_ACCESSTOKEN,
                    access_token_secret=VIMEO_ACCESSTOKENSECRET )

response = session.get(VIMEO_URL_BASE + 'vimeo.oauth.checkAccessToken')

I'm getting the following as a response:

{"response": {"err": {"expl": "The oauth_signature passed was not valid.", "code": "401", "msg": "Invalid signature"}, "stat": "fail", "generated_in": "0.0041"}

Based on OAuth headers that look like this (note, I just extracted these out of the session object so the keys aren't what are being used internally and sent through as those are defined by the Rauth library):

{
"signature": "DH9ueZmrnguFgBIDZs7ZQPE7qHs=", 
"nonce": "8bcbc130548c0677cd134e7d7f22b17df7a2eee6", 
"timestamp": 1380266167, 
"oauth_version": "1.0", 
"token": VIMEO_ACCESSTOKENSECRET, 
"consumer_key": VIMEO_CLIENTID, 
"sig_method": "HMAC-SHA1"
}

I'd read some posts about clocks being off. My dev workstation's checking time.windows.com though I did switch it out with time-a.nist.gov just in case. I also turned off sync and manually shifted my clock a few seconds. None of that had an effect. I also tried checking the timestamps in the developer.vimeo.com site's playground examples against my clock and they're within 1-2 seconds of each other at most.

I figure I'm doing something noobish though assuming the answer to the first question is right, and according to what I read in the RAuth code, if I have a valid auth token and secret, I should be able to use those without having to go through the entire OAuth process since that would just generate a new token/secret anyway.

Again, I'm new to OAuth and I'm relatively new to Python so I might be doing something stupid.

Answer 1

The issue here is that you're attempting to get the whole URL and not allowing Rauth to sign the parameters via the Requests' API. This doesn't work because Rauth needs to be able to look at the parameters and sign then in a specific way. Instead you should do this:

print sess.get('http://vimeo.com/api/rest/v2', params={'method': 'vimeo.oauth.checkAccessToken'}).content

<?xml version="1.0" encoding="UTF-8"?>\n<rsp generated_in="0.0044" stat="ok">\n  <oauth>\n    <token>...</token>\n    <permission>delete</permission>\n    <user display_name="Max Countryman" id="16760357" username="user16760357"/>\n  </oauth>\n</rsp>\n'

Remember that Rauth is Requests but with the addition of convenient OAuth handling. What that means is you should use Rauth as though it were Requests.

The following should work (I personally tested with my Vimeo credentials and it seems to work as expected):

from rauth.session import OAuth1Session

session = OAuth1Session(consumer_key=VIMEO_CLIENTID,
                        consumer_secret=VIMEO_CLIENTSECRET,
                        access_token=VIMEO_ACCESSTOKEN,
                        access_token_secret=VIMEO_ACCESSTOKENSECRET)

response = session.get('http://vimeo.com/api/rest/v2', params={'method': 'vimeo.oauth.checkAccessToken'})

Hope that helps!