I'm working on a small swift program to work with Yelp API over OAuth-1. I am looking to generate a HMAC-SHA1 signature.
I have the customer key, secret key , token and token secret.
From what I know, to make an API request with OAuth1, we need the following attributes :
1.oauth_consumer_key
oauth_token
oauth_signature_method = (HMAC-SHA1)
oauth_signature
oauth_timestamp
oauth_nonce
I have the first 1,2,3 parts but I don't know how do I generate #4,5,6
I am kind of new to ios/swift3 so please point me into right direction
try to look at that implementation: https://github.com/SwiftP2P/SwiftSSL/blob/master/SwiftSSL/HMAC.swift
Related
I am trying to connect to QuickBooks Online, but when I try to request a token from https://oauth.intuit.com/oauth/v1/get_request_token
I am getting a signaure_invalid message. My signature matches what what googles signature generator makes: http://oauth.googlecode.com/svn/code/javascript/example/signature.html
So I am really at a loss for what QuickBooks is expecting and I am not providing. I have tried including the oauth_callback in the signature, but this did not make a difference. Does anyone have some pointers for where are I am wrong?
Here are my test app details:
ConsumerKey: qyprd46Is0FZ3v1tuE4unkw3iq6cUB
oauth_timestamp: 1398355877
oauth_nonce: X3e3aflZMeKPDwMI
oauth_callback: /qbGetOAuthToken
oauth_signature_method: HMAC-SHA1
Signature Base String: POST&https%3A%2F%2Foauth.intuit.com%2Foauth%2Fv1%2Fget_request_token&oauth_consumer_key%3Dqyprd46Is0FZ3v1tuE4unkw3iq6cUB%26oauth_nonce%3DX3e3aflZMeKPDwMI%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1398355877%26oauth_version%3D1.0
Authorization Header:
Authorization: OAuth oauth_signature_method="HMAC-SHA1",oauth_nonce="X3e3aflZMeKPDwMI",oauth_timestamp="1398355877",oauth_consumer_key="qyprd46Is0FZ3v1tuE4unkw3iq6cUB",oauth_version="1.0",oauth_signature="SJNPyQU7yuhcVvoLRUgyzw9KTlA%3D",oauth_callback="%2FqbGetOAuthToken"
For everyone's benefit-
The developer resolved this issue by twice encoding the callback URL.
How properly create oauth signature base string?
How to work with Dwolla API which required Client_id & Client_Secret
https://www.dwolla.com/oauth/rest/users/{account_identifier}?client_id={client_id}&client_secret={client_secret}
I already register Application. And Got Key and Secret
But when I call above described API Endpoint via Fiddler. Got bellow response.
{"Success":false,"Message":"Invalid application credentials.","Response":null}
Note: I tested Client_id = API Key / Client_id = Application Key. But the response remain same. What is the problem ?
The client_id is just another name for the API/Application Key, which identifies your application. The client/application secret is a string that functions as a password for your application. Just like a password, you should never give out your application secret; and if it's ever compromised, let us know immediately and we'll generate a new key/secret pair for you.
About your failed request: Try encoding your application key and secret. If special characters aren't escaped from the URL, the request will be interpreted differently from what you intend.
You can quickly encode the two strings from your Javascript console:
var key = "EUFH378&36%394749D\DWIHD";
encodeURIComponent(key);
Result: "EUFH378%2636%25394749DDWIHD"
var secret = "WOIDJ38&IDI\DK389DDDDD";
encodeURIComponent(secret);
Result: "WOIDJ38%26IDIDK389DDDDD"
And place their encoded equivalents back into your request URL:
https://www.dwolla.com/oauth/rest/users/gordon#dwolla.com?client_id=EUFH378%2636%25394749DDWIHD&client_secret=WOIDJ38%26IDIDK389DDDDD
I am using oauth to authenticate dropbox and download a file from dropbox after getting access_token am using the below signature for download a file from dropbox am passing the root, path of the file, consumerKey and oauth_token with signature_method as PLAINTEXT and am getting an error
{"error": "Bad oauth_signature for oauth_signature_method 'PLAINTEXT'"}
Signature am using is given below :
https://api-content.dropbox.com/1/files?oauth_consumer_key=twcek2m7cxtantc&oauth_signature_method=PLAINTEXT&oauth_token=1jczc39y7rn1265&oauth_version=1.0&path=test%2Fut.txt&root=dropbox&oauth_signature=fbs34nykryouuj1%2526gbwmn3e27g97cfy
What should I do to resolve this error?
I was searching about this and found that:
1) The PLAINTEXT method does not provide any security protection and SHOULD only be used over a secure channel such as HTTPS. It does not use the Signature Base String.
2) The Service Provider declares support for the HMAC-SHA1 signature method for all requests, and PLAINTEXT only for secure (HTTPS) requests.
3) When used with PLAINTEXT signatures, the OAuth protocol makes no attempts to protect User credentials from eavesdroppers or man-in-the-middle attacks. The PLAINTEXT signature algorithm is only intended to be used in conjunction with a transport-layer security mechanism such as TLS or SSL which does provide such protection. If transport-layer protection is unavailable, the PLAINTEXT signature method should not be used.
You can refer this link http://oauth.net/core/1.0/#anchor22
You can also check if your keys are correct
The signature Protocol Parameters are set with the following values unencrypted:
oauth_signature_method : Set to PLAINTEXT.
oauth_signature : Set to the concatenated encoded value of the oauth_consumer_secret parameter and the value of the oauth_token_secret parameter. If the values contain a . character (ASCII code 46), it must be encoded as %2E. The values are separated by a . character (ASCII code 46), even if empty. The result MUST not be encoded again.
For example, if the Consumer Key is dj.9rj$0jd78jf88 and Token Secret is jjd999(j88ui.hs3, the encoded values are:
Consumer Key : dj%2E9rj%240jd78jf88
Token Secret : jjd999%28j88ui%2Ehs3
And the oauth_signature value is dj%2E9rj%240jd78jf88.jjd999%28j88ui%2Ehs3. This value is not encoded anymore and is used as it in the HTTP request. If the Token Secret is empty, the value is dj%2E9rj%240jd78jf88. (the separator . is retained).
I am trying to get access token from LinkedIn I am passing All parameters correct but the error 401-invalid signature is still there
code is
<a href="https://www.linkedin.com/uas/oauth/requestToken?
oauth_consumer_key=d84z39zfvu1e&
oauth_signature_method=HMAC-SHA1&
oauth_signature=Z8CFWW1i0mvcW8g6CiY%2BqL%2BfOik%3D&
oauth_timestamp=1330086574&
oauth_nonce=2222&
oauth_version=1.0&
callback=http://localhost:8080/linkedIn/">
That is the request token you are trying to get. A common mistake when getting the request token is using the wrong key when signing the request.
Your HMAC-SHA1 key when signing all requests should look like this:
CONSUMER_SECRET + "&" + TOKEN_SECRET
And since you do not have a token secret yet, the key should be CONSUMER_SECRET + "&"
so, I just need to retrieve user basic info(/verify_credentials(twitter), /me(facebook) so Im trying to roll my own code for now
got it on facebook on second try since all I need is a request to graph.facebook.com/me + access_token
but now trying to do it with twitter has been incredibly painful, I just can't figure it out by the docs, so, please, what does a request to twitter api /verify_credentials look like?
what are the params?
twitter api, y u suck?
Facebook uses oAuth 2.0, which is much easier to implement than oAuth 1.0 (which twitter uses).
An example request to verify_credentials API could look like this:
https://api.twitter.com/1/account/verify_credentials.json?oauth_consumer_key=XXX&oauth_nonce=XXX&oauth_signature_method=HMAC-SHA1&oauth_token=XXX&oauth_timestamp=123456789&oauth_version=1.0&oauth_signature=YYY
oauth_consumer_key is self explanatory
oauth_nonce can be pretty much a random string of characters
oauth_signature_method is always HMAC-SHA1
oauth_token is your access token
oauth_timestamp is current UNIX timestamp (in UTC)
oauth_version is always 1.0
oauth_signature is your generated signature (which twitter will verify by reproducing)
You generate the value of the oauth_signature parameter by constructing a signature base string which consists of the following parts.
HTTP method in upper case (in this case GET)
an ampersand &
URL-encoded base URI (everything from https up to and including verify_credentials.json)
an ampersand &
all request parameters in alphabetical order, url encoded. (oauth_signature should NOT be included in this though)
The pseudo code in the section Signing requests in Twitters documentation describes the signing process elegantly:
httpMethod + "&" +
url_encode( base_uri ) + "&" +
sorted_query_params.each { | k, v |
url_encode ( k ) + "%3D" +
url_encode ( v )
}.join("%26")
And then you sign the resulting base string using the consumer secret, and the access token secret. That's all there is too it :)
But before issuing any requests to the API you will of course need to actually get an access token. Once you grasp the oAuth 1.0 flow, and the signing process. You'll be home. Twitter's documentation does a great job at explaining the process, but it is a quite a bit to wrap your head around. Worth it though.