I've been working for the first time with OAuth lately, I've gotten the access token fine along with everything before it but I've stumbled with what I assumed would be the easiest part :(
The API call requires a parameter which isn't very specific, they just call it 'oauth'. I'm already putting my access token and secret into the signature, what should be in the 'oauth' parameter?
Here's what I'm talking about.
Thanks!
For oAuth 1.0 (Twitter) Here's what an oAuth HTTP header may look like:
Authorization: OAuth oauth_consumer_key="*****", oauth_nonce="fcde5bfc94d489c307f59aa384df9ef3", oauth_signature="tWE9gf3Dw0rBiKkN%2BcgO%2Fz%2FE%2FjA%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1335428402", oauth_token="*****", oauth_version="1.0"
Related
I‘m trying to call the WooCommerce/Wordpress API, but the online shop that I‘m trying to reach has HTTP Basic Autj turned on. That means, I need to authenticate once to overcome the HTTP authentication and then I need to authenticate a second time using the api key in order to use the api. Is there a possibility to make an api call whilst overcoming two levels of authentication?
The problem is that if I try to authenticate, I use the following code:
$headers = array('Accept' => 'application/json');
$options = array('auth' => array($username, $password));
$request = Requests::get("$url/$api/$model", $headers, $options);
then I get a 401 (unathorised) response from the api, because I didn't send the api token in my request. But if I use the api token and secret instead of the username and password, I don't even get near the api because I don't overcome the http basic authentication.
Thanks for yout help!
From the looks of it, you're having an issue calling your website due to HTTP Basic Auth.
When it comes to authentication on https://your.site, you can connect to https://your.site and enter foo as the user and bar as the password, OR you can connect to https://foo:bar#your.site.
Hope I helped!
I can't comment on your question for clarification as I don't have the rep. So here goes with an answer!
I think the answer is that you will not overcome two levels of authentication in one call. You will likely contact the server first for an access token using your username and password.
Basic authorization usually means that in the initial http request you set the headers to include 'Authorization': 'Basic _______________________' and then in place of the underscores put a long alphanumeric string that is generated by base64-encoding your username and password (that you would log into WooCommerce with I presume) like so: username:password, and including that colon in between.
If I actually base64 encode username:password it comes out to dXNlcm5hbWU6cGFzc3dvcmQK
so when setting your initial http request headers, include:
'Authorization' : 'Basic dXNlcm5hbWU6cGFzc3dvcmQK'
Except base64 encode you're own username and password (separated by the colon!).
Assuming this works, the api may return an access token to you in a few ways. But if you follow the docs you should be able to figure it out from this point.
Again, really not clear on what you're question is exactly but can't comment so I took a shot. Good luck
I had an implementation of OAuth working with Fitbit to pull data from fitbit's service. However they recently updated their service and now the request is failing whenever I try to get an access token.
They have made the following statement about the new requirement:
The solution is to OAuth sign the requests to <https://api.fitbit.com/oauth/request_token> and <https://api.fitbit.com/oauth/access_token> in a similar manner that all other calls to the Fitbit API are signed.
Requests to <https://api.fitbit.com/oauth/request_token> need to be signed with your application's consumer key and secret.
Requests to <https://api.fitbit.com/oauth/access_token> need to be signed with your application's consumer key and secret and the oauth_token and oauth_verifier received from the authorization callback.
I am using the PHP PECL OAuth library for OAuth requests. However I can't find a way to add additional parameters to the signature. I am trying the following but I'm not sure that this is the correct way to update the OAuth Signature:
$params['consumer_key'] = $this->consumer_key;
$params['consumer_secret'] = $this->consumer_secret;
$params['oauth_token'] = $this->oauth_token;
$params['oauth_verifier'] = $_REQUEST['oauth_verifier'];
$this->signature = $this->oauth->generateSignature('GET', $this->access_url, $params);
$this->access_token = $this->oauth->getAccessToken($this->access_url, $this->signature, $_REQUEST['oauth_verifier']);
The OAuth error I get is:
401
Invalid auth/bad request (got a 401, expected HTTP/1.1 20X or a redirect)
oauthoauth_signatureInvalid signature: FfvYDv5MSOfwcOwLZBJa0TlKS4Q=false
The signature which is stored from the code above shows that the proper signature should be:
[signature] => wlfzqPs4aEkTkHfqyaO65D/RW6o=
This is the "Headers Sent" piece of the debug information:
[headers_sent] => Authorization: OAuth oauth_session_handle="Frdnxw8oHe3BgNVi0Fy4jBXrZko%3D",
oauth_verifier="ss6nmke8elf3so66jg3auued49",
oauth_consumer_key="(my key)",
oauth_signature_method="HMAC-SHA1",
oauth_nonce="30463910852ea5cc2d04e60.71895372",
oauth_timestamp="1391090882",
oauth_version="1.0",
oauth_token="2cabd6beab341e332bdf8e522b6019ef",
oauth_signature="hULwWcQOl%2F8aYjh0YjR843iVXtA%3D"
I can't find anything in the documentation which explains how I can set the signature for OAuth to use with it's request. Any Help would be greatly appreciated!!!
Please let me know if you need more information!
I have found the issue.
It turns out I was not saving the oauth_token_secret being handed back and I was instead using the consumer secret.
Once I updated this, the process ran as expected.
I'm making the huge mistake of writing my own OAuth library and wrapper classes in PHP. Everything works wonderfully for Twitter's OAuth implementation, but I fail on signing the access_token step for both Tumblr and Flickr.
The ONLY difference in that step, is now I have oauth_token and oauth_verifier parameters. I'm using the Authorization header, and the only problem I can think of is that there are some character encoding issues, but I'm not sure.
Base string (broken for clarity):
POST&
http%3A%2F%2Fwww.flickr.com%2Fservices%2Foauth%2Faccess_token&
oauth_consumer_key%3Deeedfcd4c46a2c12080f58eb90a974d8
%26oauth_nonce%3D322190b47ca680d053338724ad1cc56d35d3e7b5
%26oauth_signature_method%3DHMAC-SHA1
%26oauth_timestamp%3D1322981994
%26oauth_token%3D72157628270097303-18aa378b4ab02af3
%26oauth_verifier%3Dec7811503fdd4380
%26oauth_version%3D1.0
This is exactly what Flickr expects (they tell me so in the error response), which leads me to believe the signature is the problem.
Authorization header (also broken for clarity):
Authorization: OAuth
oauth_consumer_key="eeedfcd4c46a2c12080f58eb90a974d8",
oauth_nonce="322190b47ca680d053338724ad1cc56d35d3e7b5",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1322981994",
oauth_token="72157628270097303-18aa378b4ab02af3",
oauth_verifier="ec7811503fdd4380",
oauth_version="1.0",
oauth_signature="LYJtgHetQWNKX3rtQlSs643FdWY%3D"
And Flickr's response:
oauth_problem=signature_invalid&
debug_sbs=POST&
http%3A%2F%2Fwww.flickr.com%2Fservices%2Foauth%2Faccess_token&
oauth_consumer_key%3Deeedfcd4c46a2c12080f58eb90a974d8
%26oauth_nonce%3D322190b47ca680d053338724ad1cc56d35d3e7b5
%26oauth_signature_method%3DHMAC-SHA1
%26oauth_timestamp%3D1322981994
%26oauth_token%3D72157628270097303-18aa378b4ab02af3
%26oauth_verifier%3Dec7811503fdd4380
%26oauth_version%3D1.0
There are no GET or POST parameters. Everything seems to be escaped correctly from what I see here. The signing works for the request_token step (and for Twitter, for ANY request). I've verified that my server clock is within a second of theirs. Am I missing something obvious? How would you go about diagnosing this?
I'll answer my own question.
There were a few discrepancies between the different oauth service provider implementations:
Twitter
Expects oauth_callback on request_token step
Doesn't return oauth_token_secret until access_token response
Therefore, there's an empty oauth_token_secret in signing the access_token request
Flickr & Tumblr
Expect oauth_callback on authenticate (i.e. authorize) step
Return oauth_token_secret on request_token step (and expect you to remember it and use it to sign access_token request)
Youtube (and other Google OAuth service providers):
Expects Google-proprietary "scope" on request_token step
Expects oauth_callback on authenticate (i.e. OAuthAuthorizeToken) step
Doesn't seem to like oauth_token passed in Authorization header in the access_token step (responds with "token invalid" due to required double-encoding in base string). Pass it in the post body or query string instead.
I'm using OAuth with Federated Login (Hybrid Protocol) to allow my users to login once using openID (which works great), and authenticate with the Google Data API at the same time.
The Zend_GData library was giving me a headache, so on the suggestion of someone here on SO I switched to LightOpenID.
The openID part works great, and thanks to this tip I'm able to add the OAuth extension and receive a response like this:
http://www.example.com/checkauth
?openid.ns=http://specs.openid.net/auth/2.0
&openid.mode=id_res
&openid.op_endpoint=https://www.google.com/accounts/o8/ud
&openid.response_nonce=2009-01-17T00:11:20ZlJAgbeXUfSSSEA
&openid.return_to=http://www.example.com/checkauth
&openid.assoc_handle=AOQobUeYs1o3pBTDPsLFdA9AcGKlH
&openid.signed=op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle,ns.ext2,ext2.consumer,ext2.scope,ext2.request_token
&openid.sig=oPvRr++f6%2ul/2ah2nOTg=
&openid.identity=https://www.google.com/accounts/o8/id/id=AItOawl27F2M92ry4jTdjiVx06tuFNA
&openid.claimed_id=https://www.google.com/accounts/o8/id/id=AItOawl27F2M92ry4jTdjiVx06tuFNA
&openid.ns.oauth=http://specs.openid.net/extensions/oauth/1.0
&openid.oauth.scope=http://docs.google.com/feeds/+http://spreadsheets.google.com/feeds/+http://sandbox.gmodules.com/api/
&openid.oauth.request_token=1/fVr0jVubFA83GjYUA
According to the documentation, openid.oauth.request_token is an authorized request token, so it seems I don't need to do the OAuthAuthorizeToken request. All is good so far, but now I need to exchange this request token for an access token and token secret.
Since I have no idea how to generate the OAuth nonce and signatures, I employ the OAuthSimple library for php. Problem is, the code required looks like this:
// Build the request-URL...
$result = $oauth->sign(array(
'path' => 'https://www.google.com/accounts/OAuthGetAccessToken',
'parameters' => array(
'oauth_verifier' => $_GET['oauth_verifier'],
'oauth_token' => $_GET['oauth_token']),
'signatures' => $signatures));
It needs an oauth_verifier value, which you would receive along with the request token with a normal OAuth request. I'm not sure if it's the OAuthSimple library that errors out when trying to omit that or if it's a Google requirement, but it doesn't work.
SO, can someone spot something I'm doing wrong here?
There's nothing wrong. Actually, when you do an Hybrid process, the verifier isn't send, simply because you don't need it.
So in your code, just set verifier to NULL, and it should work just fine, as long as there's no problems somewhere else.
I am trying to write a small webapp that pulls data from Yammer. I have to go through Yammer's OAuth bridge to access their data. I tried using the Oauth php library and do the 3 way handshake. But at the last step, I get an error stating I have an invalid OAuth Signature.
Here are the series of steps:
The first part involves getting the request Token URL and these are the query parameters that I pass.
[oauth_version] => 1.0
[oauth_nonce] => 4e495b6a5864f5a0a51fecbca9bf3c4b
[oauth_timestamp] => 1256105827
[oauth_consumer_key] => my_consumer_key
[oauth_signature_method] => HMAC-SHA1
[oauth_signature] => FML2eacPNH6HIGxJXnhwQUHPeOY=
Once this step is complete, I get the request Token as follows:
[oauth_token] => 6aMcbRK5wMqHgZQsdfsd
[oauth_token_secret] => ro8AJxZ67sUDoiOTk8sl4V3js0uyof1uPJVB14asdfs
[oauth_callback_confirmed] => true
I then try to authorize the given token and token secret by passing the parameters to the authorize url.It takes me to Yammer's authentication page where I have allow my app to talk to Yammer.
Yammer then gives me a 4 digit code that I have to put back into my application which then tries to acquire the permanent access token. I pass the following information to the access token URL:
[oauth_version] => 1.0
[oauth_nonce] => 52b22495ecd9eba277c1ce6b97b00fdc
[oauth_timestamp] => 1256106815
[oauth_consumer_key] => myconsumerkey
[callback_token] => 61A7
[oauth_token] => 6aMcbRK5wMqHgZQsdfsd
[oauth_token_secret] => ro8AJxZ67sUDoiOTk8sl4V3js0uyof1uPJVB14asdfs
[oauth_callback_confirmed] => true
[oauth_signature_method] => HMAC-SHA1
[oauth_signature] => V9YcMDq2rP7OiZTK1k5kb/otMzA=
Here I am supposed to receive the Oauth Permanent access token, but instead I get a Invalid Oauth signature. I dont know what I am doing wrong. I use the same signaures to sign the request. Should I sign the request using the new token and secret? I tried that as well but to no avail. I even tried implementing this in java using signpost library and got stuck at the exact same place. Help Help!!
The callback_token was something Yammer introduced in response to an OAuth security advisory earlier this year. When OAuth 1.0a was released, it was instead named oauth_verifier. However, it's not unlikely that Yammer still supports their workaround but rename it and try again to be sure.
Also, the below is information from the Yammer Development Network yesterday:
Tomorrow we will be releasing some
changes to the Yammer API to
facilitate user network switching on
API clients. Most of the change is in
the OAuth Access Tokens call which
allows you to generate pre-authorized
OAuth access tokens for a given user.
One token will be generated for each
network they are in and your clients
switch networks by sending an API
request signed with the appropriate
token for that network.
I'm assuming that Yammer OAuth libraries might need to be updated per this change. I haven't taken a look at it yet.
Edit: My python-yammer-oauth library still works despite Yammer having changed things on their side.
Edit2: Could you try using signature method PLAINTEXT instead of HMAC-SHA1? I've had problems with Yammer and HMAC-SHA1.
I tried by using PLAINTEXT.. but for this method its giving me the same "Invalid OAuth signature" error even for requesting the token.
So is it possible to generate the access token we use HMAC-SHA1 and for accessing the actual API method i.e. for posting the message.. we use PLAINTEXT?
just found the problem!
I had forgotten to add an ampersand ("&") at the end of CONSUMER_SECRET. Perhaps this is your issue as well?