OAuth Broken?
jhofker
Registered Users Posts: 136 Major grins
Is the OAuth service broken tonight?
Everything has been working pretty well in my published app, but tonight I'm seeing the following come back on POST calls to https://api.smugmug.com/services/oauth/getRequestToken.mg
Everything has been working pretty well in my published app, but tonight I'm seeing the following come back on POST calls to https://api.smugmug.com/services/oauth/getRequestToken.mg
oauth_problem=signature_method_rejectedMy POST is below (but is properly encoded when sent):
POST https://api.smugmug.com/services/oauth/getRequestToken.mg HTTP/1.1 Accept: */* Authorization: OAuth oauth_callback='my_callback, oauth_consumer_key='my_key', oauth_nonce='348560084', oauth_signature='2M40WS%2BQQxh8jDEptO%2FgOHZOzUY%3D', oauth_signature_method='HMAC-SHA1', oauth_timestamp='1394859583', oauth_version='1.0' Accept-Language: en-US,en;q=0.5 UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; Touch; MSAppHost/2.0; rv:11.0) like Gecko Host: api.smugmug.com Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cacheIs HMAC-SHA1 no longer accepted? The OAuth docs for SmugMug here say it should be fine: https://smugmug.atlassian.net/wiki/display/API/OAuth
0
Comments
That doesn't seem like a very good solution. (Did something change recently?)
This is one of the errors: <rsp stat="fail"><method>smugmug.auth.checkAccessToken</method><err code="38" msg="unsupported version"/></rsp>
I've noticed that if my code does not use quotes at all, that some methods succeed, like smugmug.auth.checkAccessToken, yet others fail with errors similar to the above, or invalid signature errors.
The specification does state that the values must be enclosed in a double quote (character 34): http://oauth.net/core/1.0/#auth_header
Since I've never used this before this morning... any ideas? I'm quite new at this. Everything was working fine with 1.2.2 with a regular (non-Oauth) login.
Are you using OAuth ... sending the proper signed requests with the token, etc.?
If I must do OAuth, then I guess I'll figure that out...
BTW... I did notice that when I go to my Account APIKeys settings where the Key and Secret are, that the Authorized Users has a "0" beside it. Hmmm..
It depends if the galleries are public, etc. If you want complete unrestricted access, you'll need to use the OAuth methods.
Good call on the OAuth spec - I honestly didn't think that quotation choice would be spec'd, but as we see, I'm wrong!
Make sure you're passing oauth_version="1.0" in your authorization header and not "1.0a" or anything like that.
Apparently, the version parameter actually optional I found out from reading the spec. But, I did have it as "1.0" per spec.
So, the error wasn't accurate. It took me a while, but thanks to this tiny test web page from Linked-In: http://developer.linkedin.com/oauth-test-console, I figured out that the way my code was passing parameters wasn't perfectly to specification, and that for some reason, SmugMug didn't accept the slightly-not-to-specification technique that my code had been using the day before.
Thankfully, it seems to be working again.
They seem to have gotten a little pickier on the OAuth parameters lately. :-)
Thanks for the URL. I was able to resolve an issue and now my encoded signature matches what the link says it should be. BUT... I'm getting an Invalid Signature error now. What do I have missing?
Signature GET&http%3A%2F%2Fapi.smugmug.com%2Fservices%2Foauth%2FgetRequestToken.mg%2F%3F&oauth_consumer_key%3DZG6qq1fWAqyIU5xSNilIpwDkHHZcBxYx%26oauth_nonce%3D1396274343%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1396274343%26oauth_version%3D1.0
SigString
uucicNHNDi57NPUV1UQ4qdDGmJM=
Oauth login string
http://api.smugmug.com/services/oauth/getRequestToken.mg/?&oauth_consumer_key=ZG6qq1fWAqyIU5xSNilIpwDkHHZcBxYx&oauth_nonce=1396274343&oauth_signature=uucicNHNDi57NPUV1UQ4qdDGmJM=&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1396274343&oauth_version=1.0
I've tried it with and without using "/?" and I've tried it as GET and POST. I know it is bad practice to use the timestamp as the nonce, I'm just doing that now for testing.
SigString uucicNHNDi57NPUV1UQ4qdDGmJM=
2014-03-31 09:59:03.810 SunriseV1[59815:60b]
Oauth login string
http://api.smugmug.com/services/oauth/getRequestToken.mg/?
&oauth_consumer_key=ZG6qq1fWAqyIU5xSNilIpwDkHHZcBxYx&oauth_nonce=1396274343
&oauth_signature=uucicNHNDi57NPUV1UQ4qdDGmJM=&oauth_signature_method=HMAC-SHA1
&oauth_timestamp=1396274343&oauth_version=1.0
Maybe this will post the entire URL... Not sure why some spaces posted in the cut and paste of the Signature, but you get the idea.
The formatting here is REALLY challenging to follow, especially given the nature of this data. Are you quoting the values in the header per spec?
http://api.smugmug.com/services/oauth/getRequestToken.mg/?
&oauth_consumer_key=%22ZG6qq1fWAqyIU5xSNilIpwDkHHZcBxYx%22&oauth_nonce=%2213963583008300%22&oauth_signature_method=%22HMAC-SHA1%22&oauth_signature=%22NrN0tkkPfdoOHZfa5jRDLgVGE3k%3D%22&oauth_timestamp=%221396358300%22&oauth_version=%221.0%22