OAuth Broken?

jhofkerjhofker Registered Users Posts: 136 Major grins
Is the OAuth service broken tonight?

Everything has been working pretty well in my published app, but tonight I'm seeing the following come back on POST calls to https://api.smugmug.com/services/oauth/getRequestToken.mg
oauth_problem=signature_method_rejected
My POST is below (but is properly encoded when sent):
 POST https://api.smugmug.com/services/oauth/getRequestToken.mg HTTP/1.1
 Accept: */*
 Authorization: OAuth oauth_callback='my_callback, oauth_consumer_key='my_key', oauth_nonce='348560084', oauth_signature='2M40WS%2BQQxh8jDEptO%2FgOHZOzUY%3D', oauth_signature_method='HMAC-SHA1', oauth_timestamp='1394859583', oauth_version='1.0'
 Accept-Language: en-US,en;q=0.5
 UA-CPU: AMD64
 Accept-Encoding: gzip, deflate
 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; Touch; MSAppHost/2.0; rv:11.0) like Gecko
 Host: api.smugmug.com
 Content-Length: 0
 Connection: Keep-Alive
 Cache-Control: no-cache
Is HMAC-SHA1 no longer accepted? The OAuth docs for SmugMug here say it should be fine: https://smugmug.atlassian.net/wiki/display/API/OAuth

Comments

  • jhofkerjhofker Registered Users Posts: 136 Major grins
    edited March 17, 2014
    I switched from single-quotes to double-quotes and now things work.

    That doesn't seem like a very good solution. (Did something change recently?)
  • wiredprairiewiredprairie Registered Users Posts: 12 Big grins
    edited March 18, 2014
    My app code was working last night, and without any code changes, stopped working this morning as well with a similar issue. Requests are just rejected with errors. Unfortunately, at least for my code, changing quote style isn't sufficient.

    This is one of the errors: <rsp stat="fail"><method>smugmug.auth.checkAccessToken</method><err code="38" msg="unsupported version"/></rsp>

    I've noticed that if my code does not use quotes at all, that some methods succeed, like smugmug.auth.checkAccessToken, yet others fail with errors similar to the above, or invalid signature errors.

    The specification does state that the values must be enclosed in a double quote (character 34): http://oauth.net/core/1.0/#auth_header
  • Dan CaveyDan Cavey Registered Users Posts: 8 Big grins
    edited March 18, 2014
    I just moved my code from API 1.2.2 to API 1.3.0 this morning. When I use the getAlbums or getPictures without logging in and just providing my APIKey, I'm getting Unknown user error.

    Since I've never used this before this morning... any ideas? I'm quite new at this. Everything was working fine with 1.2.2 with a regular (non-Oauth) login.
  • wiredprairiewiredprairie Registered Users Posts: 12 Big grins
    edited March 18, 2014
    Dan Cavey wrote: »
    I just moved my code from API 1.2.2 to API 1.3.0 this morning. When I use the getAlbums or getPictures without logging in and just providing my APIKey, I'm getting Unknown user error.

    Since I've never used this before this morning... any ideas? I'm quite new at this. Everything was working fine with 1.2.2 with a regular (non-Oauth) login.

    Are you using OAuth ... sending the proper signed requests with the token, etc.?
  • Dan CaveyDan Cavey Registered Users Posts: 8 Big grins
    edited March 18, 2014
    No, my understanding was that OAuth login was not necessary for some of the read only APIs like images.get and albums.get Is that not true?

    If I must do OAuth, then I guess I'll figure that out...

    BTW... I did notice that when I go to my Account APIKeys settings where the Key and Secret are, that the Authorized Users has a "0" beside it. Hmmm..
  • wiredprairiewiredprairie Registered Users Posts: 12 Big grins
    edited March 18, 2014
    Dan Cavey wrote: »
    No, my understanding was that OAuth login was not necessary for some of the read only APIs like images.get and albums.get Is that not true?

    If I must do OAuth, then I guess I'll figure that out...

    BTW... I did notice that when I go to my Account APIKeys settings where the Key and Secret are, that the Authorized Users has a "0" beside it. Hmmm..

    It depends if the galleries are public, etc. If you want complete unrestricted access, you'll need to use the OAuth methods.
  • jhofkerjhofker Registered Users Posts: 136 Major grins
    edited March 18, 2014
    My app code was working last night, and without any code changes, stopped working this morning as well with a similar issue. Requests are just rejected with errors. Unfortunately, at least for my code, changing quote style isn't sufficient.

    This is one of the errors: <rsp stat="fail"><method>smugmug.auth.checkAccessToken</method><err code="38" msg="unsupported version"/></rsp>

    I've noticed that if my code does not use quotes at all, that some methods succeed, like smugmug.auth.checkAccessToken, yet others fail with errors similar to the above, or invalid signature errors.

    The specification does state that the values must be enclosed in a double quote (character 34): http://oauth.net/core/1.0/#auth_header

    Good call on the OAuth spec - I honestly didn't think that quotation choice would be spec'd, but as we see, I'm wrong!

    Make sure you're passing oauth_version="1.0" in your authorization header and not "1.0a" or anything like that.
  • wiredprairiewiredprairie Registered Users Posts: 12 Big grins
    edited March 19, 2014
    jhofker wrote: »
    Good call on the OAuth spec - I honestly didn't think that quotation choice would be spec'd, but as we see, I'm wrong!

    Make sure you're passing oauth_version="1.0" in your authorization header and not "1.0a" or anything like that.

    Apparently, the version parameter actually optional I found out from reading the spec. But, I did have it as "1.0" per spec.

    So, the error wasn't accurate. It took me a while, but thanks to this tiny test web page from Linked-In: http://developer.linkedin.com/oauth-test-console, I figured out that the way my code was passing parameters wasn't perfectly to specification, and that for some reason, SmugMug didn't accept the slightly-not-to-specification technique that my code had been using the day before.

    Thankfully, it seems to be working again.
  • jhofkerjhofker Registered Users Posts: 136 Major grins
    edited March 24, 2014
    Great!

    They seem to have gotten a little pickier on the OAuth parameters lately. :-)
  • Dan CaveyDan Cavey Registered Users Posts: 8 Big grins
    edited March 31, 2014
    Apparently, the version parameter actually optional I found out from reading the spec. But, I did have it as "1.0" per spec.

    So, the error wasn't accurate. It took me a while, but thanks to this tiny test web page from Linked-In: http://developer.linkedin.com/oauth-test-console, I figured out that the way my code was passing parameters wasn't perfectly to specification, and that for some reason, SmugMug didn't accept the slightly-not-to-specification technique that my code had been using the day before.

    Thankfully, it seems to be working again.

    Thanks for the URL. I was able to resolve an issue and now my encoded signature matches what the link says it should be. BUT... I'm getting an Invalid Signature error now. What do I have missing?

    Signature GET&http%3A%2F%2Fapi.smugmug.com%2Fservices%2Foauth%2FgetRequestToken.mg%2F%3F&oauth_consumer_key%3DZG6qq1fWAqyIU5xSNilIpwDkHHZcBxYx%26oauth_nonce%3D1396274343%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1396274343%26oauth_version%3D1.0

    SigString
    uucicNHNDi57NPUV1UQ4qdDGmJM=

    Oauth login string
    http://api.smugmug.com/services/oauth/getRequestToken.mg/?&oauth_consumer_key=ZG6qq1fWAqyIU5xSNilIpwDkHHZcBxYx&oauth_nonce=1396274343&oauth_signature=uucicNHNDi57NPUV1UQ4qdDGmJM=&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1396274343&oauth_version=1.0

    I've tried it with and without using "/?" and I've tried it as GET and POST. I know it is bad practice to use the timestamp as the nonce, I'm just doing that now for testing.
  • Dan CaveyDan Cavey Registered Users Posts: 8 Big grins
    edited March 31, 2014
    Signature is GET&http%3A%2F%2Fapi.smugmug.com%2Fservices%2Foauth%2FgetRequestToken.mg%2F%3F&oauth_consumer_key%3DZG6qq1fWAqyIU5xSNilIpwDkHHZcBxYx%26oauth_nonce%3D1396274343%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1396274343%26oauth_version%3D1.0

    SigString uucicNHNDi57NPUV1UQ4qdDGmJM=

    2014-03-31 09:59:03.810 SunriseV1[59815:60b]

    Oauth login string
    http://api.smugmug.com/services/oauth/getRequestToken.mg/?
    &oauth_consumer_key=ZG6qq1fWAqyIU5xSNilIpwDkHHZcBxYx&oauth_nonce=1396274343
    &oauth_signature=uucicNHNDi57NPUV1UQ4qdDGmJM=&oauth_signature_method=HMAC-SHA1
    &oauth_timestamp=1396274343&oauth_version=1.0

    Maybe this will post the entire URL... Not sure why some spaces posted in the cut and paste of the Signature, but you get the idea.
  • wiredprairiewiredprairie Registered Users Posts: 12 Big grins
    edited March 31, 2014
    Dan Cavey wrote: »
    Signature is GET&http%3A%2F%2Fapi.smugmug.com%2Fservices%2Foauth%2FgetRequestToken.mg%2F%3F&oauth_consumer_key%3DZG6qq1fWAqyIU5xSNilIpwDkHHZcBxYx%26oauth_nonce%3D1396274343%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1396274343%26oauth_version%3D1.0

    SigString uucicNHNDi57NPUV1UQ4qdDGmJM=

    2014-03-31 09:59:03.810 SunriseV1[59815:60b]

    Oauth login string
    http://api.smugmug.com/services/oauth/getRequestToken.mg/?
    &oauth_consumer_key=ZG6qq1fWAqyIU5xSNilIpwDkHHZcBxYx&oauth_nonce=1396274343
    &oauth_signature=uucicNHNDi57NPUV1UQ4qdDGmJM=&oauth_signature_method=HMAC-SHA1
    &oauth_timestamp=1396274343&oauth_version=1.0

    Maybe this will post the entire URL... Not sure why some spaces posted in the cut and paste of the Signature, but you get the idea.

    The formatting here is REALLY challenging to follow, especially given the nature of this data. Are you quoting the values in the header per spec?
  • Dan CaveyDan Cavey Registered Users Posts: 8 Big grins
    edited March 31, 2014
    Quoting? I thought the quotes were just showing that they were strings... yikes! Apparently the quotes don't go in the signature string, so I guess they just go in the actual HTTP request, right? Thanks..
  • Dan CaveyDan Cavey Registered Users Posts: 8 Big grins
    edited April 1, 2014
    Thanks. That has gotten me further along, but now I get "oauth_problem=signature_method_rejected". Is there a different way other than HMAC-SHA1? Here is the URL:

    http://api.smugmug.com/services/oauth/getRequestToken.mg/?
    &oauth_consumer_key=%22ZG6qq1fWAqyIU5xSNilIpwDkHHZcBxYx%22&oauth_nonce=%2213963583008300%22&oauth_signature_method=%22HMAC-SHA1%22&oauth_signature=%22NrN0tkkPfdoOHZfa5jRDLgVGE3k%3D%22&oauth_timestamp=%221396358300%22&oauth_version=%221.0%22
Sign In or Register to comment.