OAuth1.0 Authentication failing on POST, succeeds on GET

Not applicable

I had successfully set up OAuth1.0 on my proxy using this tutorial:

https://github.com/dzuluaga/apigee-tutorials/tree/master/apiproxies/oauth10a-api

We had another system generate its credentials and then using a GET was successfully authorized by the OAuth1.0 policy in apigee. When that same system regenerates its credentials for a POST call, it is rejected, with an invalid signature error. What could be the reason for this?

We considered that the access token we are using may be only valid for a GET call (the http method seems to be used when generating a signature as part of the base string), and so to test this theory we attempted to regenerate a new request token (we are using the 3-legged method). We found out that the link provided in the tutorial (http://oauth.googlecode.com/svn/code/javascript/example/signature.html) is down (or been removed). We used other alternatives to try and get a request token (we have a script and Postman also does the same thing as the above google link), yet apigee always declines the signature and refuses to give us a new request token. This is very strange, it appears that only that google link can successfully acquire tokens from apigee. What might be the reason for this?

Thank you,

Aleks

1 2 3,636
2 REPLIES 2

Not applicable

Hi @aleks1 , thanks for letting us know about it.

Ah, that's unfortunate that the Google site is down. I wonder if it's because Google has deprecated their OAuth 1.0a support. I see many sites reference the same site as well. I'll put a note in my tutorial to this thread.

Here's one suggestion. I was looking at my history from 3 years ago and I found that there I was using oauth-sign NPM module to also generate signatures with Node.js that are supposed to be valid with Edge. There are a few examples in their codebase that you can test with Twitter and Wordpress.

Please let us know how it goes! Cheers!

Debugging "invalid signature" results in OAuth v1.0a is tricky. The problem is you get so little feedback on what is wrong. Is it a wrong key? wrong base string? incorrect sort ordering? Missing parameter?

That's why that page from Google was so handy - it showed how to produce the valid signature.

Since the Google page is gone, I have created another one.

2670-oauth-v1-0a-request-builder.png

It should be useful for generating signed requests for any OAuth v1.0a endpoint.

While that tool may be helpful, I had a look at the (somewhat old now) OAuth v1.0a tutorial you referred to. All of the endpoints in the OAuth 1.0a API Proxy use GET methods. I think this is incorrect - the OAuth 1.0a spec recommends POST (See section 6.1.1 and section 6.3.1, for example), and there's no reason not to use POST.

This could also explain why your attempts to generate a signature using the POST method are not working. If you are using the API proxy from that tutorial unchanged, then it will never validate a signature that is generated with the POST verb.

Remember, there are three steps:

  1. generate the request token.
  2. generate the verifier
  3. generate the access-token

All of the above really should be done with a POST, as each one is a non-idempotent action.

In the response to the third step, you receive an oauth_access_token and companion oauth_access_token_secret . You can then use those, along with the client_id and client_secret, to sign additional requests for *anything*, including GET or POST etc.