How to resolve "Invalid Signature. Assumed Base Signature String" in OAuth 1.0

Question

How to resolve "Invalid Signature. Assumed Base Signature String" in OAuth 1.0

I am trying to get the access token and secret from the site using OAuth. The exchange of the request token and the request secret goes well, but when it comes time to get access tokens, I get the error message "Invalid signature. Expected signature base string."

Has anyone seen this error before or knew what might be wrong? Here is the data I return (after urldecode -ing):

 Invalid signature. Expected signature base string: POST https://www.readability.com/api/rest/v1/oauth/access_token oauth_consumer_key=my_consumer_key oauth_nonce=d9aff6a0011a633253c5ff9613c6833d79d52cbe oauth_signature_method=HMAC-SHA1 oauth_timestamp=1311186899 oauth_token=C8GF7D6ytPzQKdZVpy oauth_verifier=ncUV4tJSrS oauth_version=1.0 signature=7jUuk6fsEL8XNYxVWcsfGXEreK0%3D

+7

php oauth urlencode

Aaron marks Jul 20 '11 at 18:37

source share

5 answers

genesis · Answer 1 · 2011-07-20T18:39:14+0000

You can look here , they asked about him about a week ago. Answer:

Getting the right OAuth signature information is always a huge pain. You should try to make the base line created by your library look like the one expected by the server. Once this is true, the only way you can mess up is with the hmac with the wrong key.

Parama dharmika · Answer 2 · 2016-06-02T18:25:22+0000

As described in @genesis, it’s quite difficult to get the signature key correctly, but there is documentation for it that can be seen at this link http://oauth.net/core/1.0/#encoding_parameters .

The rule of thumb is when you work with HMAC-SHA1,

Create a basic signature string as "Method (POST / GET / etc)" & "encoded-string-for-your-target" & "encoded-string-of-your-oauth-param (consumer key, nonce, signature method, label time, token and version "
The HMAC-SHA1 signing method uses the secret of secrets and secret keys of secrets as the key of the HMAC-SHA1 algorithm. To build a key, each secret is encoded in UTF8, encoded with a URL, and combined into a single line using "&"; character as a separator, even if any secret is empty.
With the base signature string as the text HMAC-SHA1 and the concatenated secrets as the key, the client generates the signature. As a result, the HMAC-SHA1 algorithm will generate an octet string. The octet string must be encoded in base64 using '=' padding
The calculated signature is added to the request using the oauth_signature parameter. When a signature is verified by the server, this parameter is not included in the signature workflow because it is not part of the signature signature line signed by the client. When a signature is included in an HTTP request, it must be correctly encoded in accordance with the method used to pass the parameters.

Source: http://nouncer.com/oauth/authentication.html

Aaron hill · Answer 3 · 2012-07-30T19:44:52+0000

For some reason, I can't comment on the answers, but to answer your question in the comment to the answer above, you can use the Oauth playground to see what Google wants your base line to look like. http://googlecodesamples.com/oauth_playground/index.php

BT643 · Answer 4 · 2014-02-04T16:40:38+0000

I know this is really old, and it won’t help at all, but today I got it with something, and rawurlencode() instead of urlencode() fixed it for me.

Chris d · Answer 5 · 2013-07-15T07:36:49+0000

I ran into aouth 1.0 problem recently after google search. I found a web service created by someone that generates a signature for oauth. It worked for me. link here . Take a look :)

How to resolve "Invalid Signature. Assumed Base Signature String" in OAuth 1.0

More articles: