Failed to validate oauth signature and token when trying to obtain request token

DominikJanata · 2013-06-20T11:35:42.000Z

Hello,

this issue has been around here a few times, yet nothing that was advised in the responses helped me solve the problem.

I have the following code in C#, (taken from http://dotnet.dzone.com/articles/getting-requesttoken-work):

Dictionary<string, string> parameters = new Dictionary<string, string>();

        parameters.Add("oauth_consumer_key", ConsumerKey);
        parameters.Add("oauth_signature_method", SignatureMethod);
        parameters.Add("oauth_timestamp", CurrentUNIXTimestamp.Get());
        parameters.Add("oauth_nonce", GetNonce());
        parameters.Add("oauth_version", "1.0");

        parameters = parameters.OrderBy(x => x.Key).ThenBy(x => x.Value).ToDictionary(v => v.Key, v => v.Value);

        string OAuthHeader = "OAuth ", concat = "";
        foreach (string k in parameters.Keys)
        {
            if (k == "oauth_callback")
            {
                concat += k + "=" + EncodeToUpper(parameters[k]) + "&";
                OAuthHeader += k + "=" + "\"" + EncodeToUpper(parameters[k]) + "\", ";
            }
            else
            {
                concat += k + "=" + parameters[k] + "&";
                OAuthHeader += k + "=" + "\"" + parameters[k] + "\", ";
            }
        }

        concat = concat.Remove(concat.Length - 1);

        concat = "POST&" + EncodeToUpper(RequestTokenURL) + "&" + concat;

        byte[] content = Encoding.UTF8.GetBytes(concat);

        HMACSHA1 hmac = new HMACSHA1(Encoding.ASCII.GetBytes(ConsumerSecret + "&"));
        hmac.ComputeHash(content);

        string hash = Convert.ToBase64String(hmac.Hash);
        hash = hash.Replace("-", "");

        OAuthHeader += "oauth_signature=\"" + EncodeToUpper(hash) + "\"";

        HttpWebRequest request = (HttpWebRequest)WebRequest.Create(RequestTokenURL);
        request.Method = "POST";
        request.Headers["Authorization"] = OAuthHeader;

        try
        {
            HttpWebResponse resp = (HttpWebResponse)request.GetResponse();

/*********** EXCEPTION IS THROWN ^^^ **************************/

            using (StreamReader reader = new StreamReader(resp.GetResponseStream()))
            {
                output = reader.ReadToEnd();
            }
        }
        catch (WebException e)
        {
            output = new StreamReader(e.Response.GetResponseStream()).ReadToEnd();
        }

    string EncodeToUpper(string raw)
    {
        raw = HttpUtility.UrlEncode(raw);
        return Regex.Replace(raw, "(%[0-9a-f][0-9a-f])", c => c.Value.ToUpper());
    }

outputting the following OAuthHeader for my consumer key:

OAuth oauth_consumer_key=“7A4vMQY0ixGqSlPYdVQmHg”, oauth_nonce=“267308179”, oauth_signature_method=“HMAC-SHA1”, oauth_timestamp=“1371727960”, oauth_version=“1.0”, oauth_signature=“dtTz%2FSiDnwx9ANQeK7dc7XiKd%2BY%3D”

What am I doing wrong?

froginthevalley · 2013-06-20T17:34:01.000Z

I way to test if you local lib is working correctly is to do a quick check from any pages in our docs for endpoints (like [node:10287]), there an OAuth tool in the right hand column. Choose your specific app from the drop down, then click “generate signature”. Is this the same as when you generate it from your application context (in your code)?

DominikJanata · 2013-06-21T08:17:10.000Z

Thank you, but these endpoints are quite different: they contain a GET query appendix, oauth_token and oauth_token_secret, while there is neither in the request for request token … which makes me unsure about how to build up the signature base and the string to be encoded.

The Authorization part is as follows:
OAuth oauth_consumer_key=“7A4vMQY0ixGqSlPYdVQmHg”, oauth_nonce=“831719081”, oauth_signature_method=“HMAC-SHA1”, oauth_timestamp=“1371802509”, oauth_version=“1.0”, oauth_signature=“V8%2BHQ3wXF5GFASNigfbb56D3HXE%3D”

And because this is a testing app anyway, I think there is no problem publishing the consumer secret: EY1APamWz6vas2KZhbRkOwBJZz7gfTHhAs573ur8

Is the signature correct?

Thanks in advance.