Invalid OAuth Request

Avatar

Mikko Värri

8 months ago

Hi,

I'm trying to retrieve a Request Token from http://www.ohloh.net/oauth/request_token but I'm receiving 401 (Unauthorized) response with "Invalid OAuth Request" in the response body.

I have registered for an API key, I've used the same code against the OAuth echo test server at http://term.ie/oauth/example/ and I've gone through the interactive OAuth walkthrough at http://www.hueniverse.com/hueniverse/2008/10/beginners-gui-1.html (to verify that my signature is correct). All that looks good to me, but Ohloh server seems pickier.

Below is a log of one such attempt. Lines starting with "< " are the request and lines starting with "> " are the response:

< POST /oauth/request_token HTTP/1.1
< Host: www.ohloh.net
< Content-Type: application/x-www-form-urlencoded
< Content-Length: 226
<
< oauth_consumer_key=DRmXUUuyVPmyEb1Qjx5Fg&oauth_nonce=hZdNCvZKcokJ9UTPk43YEqesBwpwejmZ3h6IHWQ6hJA%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1239916996&oauth_version=1.0&oauth_signature=LRGSz4skty8%2FHKPmN86p7O6R4rA%3D
> 401 Unauthorized
> Server: nginx/0.6.31
> Date: Thu, 16 Apr 2009 21:21:57 GMT
> Content-Type: text/html; charset=utf-8
> Connection: keep-alive
> X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.1.2
> X-Runtime: 0.01503
> Cache-Control: no-cache
> Set-Cookie: _ohloh_session=15d81d5d34140bd38b89b6e6b35d9489; path=/
> Content-Length: 21
> Status: 401 Unauthorized
> Set-Cookie: uid=YlZzz0nnoXUMaDz8AwRaAg==; expires=Fri, 16-Apr-10 21:21:57 GMT; path=/
>
> Invalid OAuth Request

Thanks, Mikko Värri

Avatar

Robin Luckey

8 months ago

Hi Mikko,

I was able to find your requests in our log and do a little debugging. Unfortunately, OAuth is pretty confusing to debug, so it's going to take some work to get to the bottom of this.

Almost certainly this is some kind of problem with the signature base string. I wouldn't be horribly surprised to discover a bug in the OAuth library we are using, but we have had some successful users lately.

Here's an excerpt from our log:

Signature Mismatch
Signature Base String: POST&http%3A%2F%2Fwww.ohloh.net%2Foauth%2Frequest_token&oauth_consumer_key%3DDRmXUUuyVPmyEb1Qjx5Fg%26oauth_nonce%3DhZdNCvZKcokJ9UTPk43YEqesBwpwejmZ3h6IHWQ6hJA%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1239916996%26oauth_version%3D1.0
Expected Signature: OfD5cU+omfAAhject1Z4w5OyoyE=

This shows the signature base string that Ohloh computed based on your POST, and the signature that we expected to accompany it. Two things to check:

  1. Do we have the same signature base strings?
  2. If so, did we generate the same signatures?

If we don't have the same signature base string, and you're pretty sure we're doing it wrong, let me know what you think the SBS should be and I'll take a look.

Thanks, Robin

Avatar

Mikko Värri

8 months ago

The nonce in the SBS seems to be missing the "%3D" (i.e. the URL encoded "=") from the end. I think this is the bug but I'm not sure?

I'm using gcrypt to create the nonce, which I then encode using base64, so the original nonce for above request was hZdNCvZKcokJ9UTPk43YEqesBwpwejmZ3h6IHWQ6hJA=. This goes through OAuth parameter encoding (hence "%3D") before it is added to SBS.

I hope this helps.

Avatar

Mikko Värri

7 months ago

Hi again, Robin,

Any news on this?

I tried changing my code to remove the "=" padding from the nonce, and I got a successful response.

So, it seems that either your OAuth library expects nonce to be so simple it doesn't need encoding, or its POST parser gets confused with the encoded "=".

-vmj

Post a Response