http OAuth request

Question

I am new to network programming.I am trying to make a POST request based on OAuth 1.0 on dropbox. The following is the code i used to make the post request.Is that how i am supposed to do it?

HttpPost httpPost;
            Log.d("HTTP","Exec");
            httpPost = new HttpPost("https://api.dropbox.com/1/shares/dropbox/a.jpg");
            Log.d("HTTP","Execute");

            try {
                List<NameValuePair> nameValuePairs = new ArrayList<NameValuePair>(9);
                nameValuePairs.add(new BasicNameValuePair("oauth_consumer_key", "2f2y1dyuqhp58ek"));
                nameValuePairs.add(new BasicNameValuePair("oauth_token", token));
                nameValuePairs.add(new BasicNameValuePair("oauth_nonce", String.valueOf(millis)));
                nameValuePairs.add(new BasicNameValuePair("oauth_timestamp", String.valueOf(millis)));
                nameValuePairs.add(new BasicNameValuePair("oauth_signature_method", "HMAC-SHA1"));
                nameValuePairs.add(new BasicNameValuePair("oauth_version", "1.0"));
                nameValuePairs.add(new BasicNameValuePair("oauth_signature", sw));//this is url encoded
                //nameValuePairs.add(new BasicNameValuePair("path", "/a.jpg"));
                //nameValuePairs.add(new BasicNameValuePair("root", "dropbox"));
                httpPost.setEntity(new UrlEncodedFormEntity(nameValuePairs));

                Log.d("HTTP","requesting");
                HttpResponse response = httpclient.execute(httpPost);

                HttpEntity entity = response.getEntity();
                InputStream is = entity.getContent();
            String result;
                BufferedReader reader = new BufferedReader(new InputStreamReader(is));
                 StringBuilder sb = new StringBuilder();
                 String line = null;
                 line = reader.readLine();
                 sb.append(line); 
                 result = sb.toString();
                 is.close();

                //String s=response.getEntity().getContent().;
                Log.d("resp", result);
                //tv.setText(response.toString());

            } catch (ClientProtocolException e) {
            } catch (IOException e) {
            }

The signature base string is:

POST&https%3A%2F%2Fapi.dropbox.com%2F1%2Fshares%2Fdropbox%2Fa.jpg&oauth_consumer_key%3D2f2y1dyuqhp58ek%26oauth_nonce%3D1340729641%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1340729641%26oauth_token%3Dwz27t6thob0fbxl%26oauth_version%3D1.0

T Any clue what the problem might be?The response that i am getting is 'invalid signature Base string'which is shown in the logCat.

LogCat:

06-26 22:30:46.125: I/System.out(364): debugger has settled (1322)
06-26 22:30:49.203: I/ActivityManager(66): Displayed activity cloud.mobile/.MCActivity: 9393 ms (total 9393 ms)
06-26 22:30:49.243: W/ActivityManager(66): Launch timeout has expired, giving up wake lock!
06-26 22:30:57.124: D/HTTP(364): wz27t6thob0fbxl
06-26 22:30:59.197: D/HTTP(364): Exe
06-26 22:30:59.886: D/HTTP(364): 1340730059
06-26 22:31:00.824: D/HTTP(364): POST&https%3A%2F%2Fapi.dropbox.com%2F1%2Fshares%2Fdropbox%2Fa.jpg&oauth_consumer_key%3D2f2y1dyuqhp58ek%26oauth_nonce%3D1340730059%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1340730059%26oauth_token%3Dwz27t6thob0fbxl%26oauth_version%3D1.0
06-26 22:31:00.824: D/HTTP(364): xLNJrQ5R9jxDTnZcpQ3HLkLBxxQ=
06-26 22:31:00.973: D/HTTP(364): Exe
06-26 22:31:00.983: D/HTTP(364): Exec
06-26 22:31:01.023: D/HTTP(364): Execute
06-26 22:31:01.664: D/HTTP(364): requesting
06-26 22:31:12.243: D/dalvikvm(364): GC_FOR_MALLOC freed 5195 objects / 296968 bytes in 185ms
06-26 22:31:25.063: I/global(364): Default buffer size used in BufferedReader constructor. It would be better to be explicit if an 8k-char buffer is required.
06-26 22:31:28.545: D/resp(364): {"error": "Invalid signature. Expected signature base string: POST&https%3A%2F%2Fapi.dropbox.com%2F1%2Fshares%2Fdropbox%2Fa.jpg&oauth_consumer_key%3D2f2y1dyuqhp58ek%26oauth_nonce%3D1340730059%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1340730059%26oauth_token%3Dwz27t6thob0fbxl%26oauth_version%3D1.0"}

Well,this "expected signature base string(shown above)"is exactly same as the one i generated and converted to oauth_signature using HMAC-SHAH.. Am i missing something?

Answer 1

There may be something wrong with how you compute your value for oauth_signature. As you didn't provide the code for that I'll try a shot in the dark:

As someone in the Dropbox forums already pointed out by saying

Getting the OAuth signature stuff exactly right is always a huge pain. You should try hard to make sure the base string your library generates is just like the one the server is expecting. Once that's true, the only way you can screw up is to hmac with the wrong key(s).

the problem could be that you specify HMAC-SHA1 as signature method, but do not sign the Base String correctly with it.

The OAuth Specification names three different methods for signing the Base String. When using HMAC-SHA1 you have to call that method with the Base String and the concatenated values as input parameters. You can find an example implementation for using this method in Java here.

As Dropbox is using an SSL only API you could also fall back to using the method PLAINTEXT and directly submitting the Base String.

Further you are using the same timestamp input for oauth_timestamp and oauth_nonce which is not recommended, oauth_nonce should always be unique. For a more detailed explanation of the problem and using a global counter to solve it, read this article.