We are trying to generate a signature to sign on a particular website through an API.
I receive this response by JSON
{"nonce":"You are signing this message for *:UAmvhZTVpO9HeIrSBU4Uk2bau+16xw7auVp1lpbrC6w="}
And I am trying to send a POST request with these two values
{"signature":"0x100c4889b9c046e2df48a4e5ecfde1d492b93b3872420a1ee2e777dc1a57e53e730d2f6ab66e31efd6a05eb47f098e8d0687cb9a9759d85147bfd491fc92f6ba1b","publicAddress":"0x714866ce8345139552eece518691ac0ee26e409c"}
What I need to know is how to convert the first JSON (UAmvhZTVpO9HeIrSBU4Uk2bau+16xw7auVp1lpbrC6w=) into a valid signature.
When I try to test with Postman this happens:
And when I insert a random signature:
Related
I have created a webhook with intuit developer account
https://developer.intuit.com/app/developer/qbo/docs/develop/webhooks#configuring-webhooks
It works fine, my question is how to use the verifier token in order to secure the webhook?
I see various intuit headers but not sure how to use them
There is a detailed documentation
Hash the notification payload with HMAC_SHA256_ALGORITHM using your verifier token as the key.
Convert the intuit-signature header from base-64 to base-16.
Compare the value from step 1 to the intuit-signature header from the notification. The values should be identical.
https://developer.intuit.com/app/developer/qbo/docs/develop/webhooks/managing-webhooks-notifications#validating-the-notification
Here is some more information how to generate the HMAC hash (Using HMAC SHA256 in Ruby) and how to convert the base64 signature to base16 (Converting a hexadecimal digest to base64 in Ruby). To compare the values Rails does implement a safe_compare method (https://api.rubyonrails.org/classes/ActiveSupport/SecurityUtils.html).
When I try to generate access token using:
https://www.linkedin.com/uas/oauth2/accessToken?grant_type=authorization_code&code=xxxxxxxxxxx&redirect_uri=http%3A%2F%2Fws-100945%3A9080%2FArtisWeb%2Findex.html&client_id=xxxxx&client_secret=xxxxx
it's throwing error as:
{"error_description":"missing required parameters, includes an invalid
parameter value, parameter more than once. : Unable to retrieve access
token : appId or redirect uri does not match authorization code or
authorization code expired","error":"invalid_request"}.
Could you guide me on this issue?
The URL itself looks correct so it must be the code that is expired or reused. Make sure the code is used immediately after you receive it and use it only once.
Also make sure that you URL-encode in fact all parameter values, including client_id and client_secret if/since they may contain URL-unsafe characters like '&' and ' '.
I've got Google's oauth2 working on my app, where id_token is a string delimited with periods. I read here that the id_token is delimited into three parts and the second part contains the actual payload. If I split the string apart and decode the second value I get what I expect using my account. What I don't understand though is when I try on my wife's account if I parse that second part to json an "unexpected character" error.
I've tried grabbing the string from the console and running it through an online base64 decoder and do see the json doesn't get evaluated correctly.
{"iss":"accounts.google.com","sub":"111475728886332985448","azp":"74770364428-621332j2r657ish4jh94n9n1k0mplpgd.apps.googleusercontent.com","email":"her.email#gmail.com","at_hash":"lSKFL86HsCeu7TU4tsYBTw","email_verified":true,"aud":"74300369428-621332j2r657ish4jh94n9n1k0mplpgd.apps.googleusercontent.com","iat":1414192526,"exp":191819642���
What could be different between the two accounts that would cause my email to return valid json and hers not to?
An id_token is a JSON Web Token (JWT), in this case using compact serialization. JWT elements are base64url encoded with no padding, which is slightly different from plain base64 encoding as can be seen from: https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-signature-38#appendix-C
A nice id_token/JWT decoder can be found here: http://jwt.io/
You may have been lucky for your own id_token so that it did not need padding.
Im working with the withings oauth implementation in hopes of retrieving stored values from scales. I can get the request token which I send back in hopes of getting the userid and the oauth_verifier passed back to my application.
What is happening is that if I pass in a full URL via the oauth_callback ( EG "http://some.site.com/myapp.php" ) the withings page displays the results on its page. But if I pass in just a page ( EG "myapp.php" ) withings will append this page name to its site and attempt to pass the parameters there (resulting in a 404). (EG "http://oauth.withings.com/account/myapp.php?oauth_params=..." ).
Other bits:
1. Code is in Perl
2. All oauth_signature values are HMAC_SHA1 signed
3. Any bits passed on the URL are url encoded using uri_escape
My questions:
1. Has anyone succeeded in getting data from withings?
2. Has anyone seen and overcome this problem with oauth_callback?
Turns out the answer is to url encode the address.. and then encode it again when you use it in the resultant signature and URL that you pass to withings.
I was just encoding it once.
I'm successfully able to get an access token through the OAuth process.
However, when I try to run a POST to the /statuses/update.json endpoint, I get a "Could not authenticate with OAuth."
I'm signing with the token I got back from authenticating with my consumer secret, I don't understand what else could be.
Twitter forums were no help either.
Any tips would be greatly appreciated.
Making authenticated calls to Twitter can be a pain.
Make sure that the parameters in your signature base string are ordered alphabetically.
Take this:
oauth_consumer_key={consumerkey}&oauth_nonce={nonce}&oauth_signature_method=HMAC-SHA1&oauth_timestamp={timestamp}&oauth_token={token}&oauth_version=1.0&status={tweet text}
fill out the values, encode it in Base64, and then put it together like this:
POST&{base64 encoded url}&{base64 encoded base string}
this will be the string you need to sign (without the brackets). (The url in this case will be https://api.twitter.com/1.1/statuses/update.json)
The signing key needs to be built like this:
{consumer secret}&{token secret}
The signature is a HMACSHA1 hash, which is then base64 encoded.
Then you need to put this in the Authorization header:
OAuth oauth_consumer_key="{consumer key}",oauth_nonce="{nonce}",oauth_signature="{signature}",oauth_signature_method="HMAC-SHA1",oauth_timestamp="{timestamp}",oauth_token="{token}",oauth_version="1.0"
And finally put status=your tweet text as the posted data in your request.
I hope this helps.