OAuth: invalid oauth_signature

Question

I am stuck generating the OAuth signature programmatically. I am on FreeBSD with PHP71 and can not use the PECL extension, because it doesn't work with PHP > 5.6 yet.

I read the RFC and many many SO threads as well as blogs that all have the same problem I have. But I can't figure out where I failed.

I am trying to obtain a request token from the XING.com Api.

My Code:

$strConsumerKey    = '12345';
$strConsumerSecret = '1234567890';

$arrQueryParams = [

  'oauth_callback'         => 'http://xing.dev/endpoint?hauth.done=XING',
  'oauth_consumer_key'     => $strConsumerKey,
  'oauth_nonce'            => md5(microtime() . mt_rand()),
  'oauth_signature_method' => 'HMAC-SHA1',
  'oauth_timestamp'        => time(),
  'oauth_version'          => '1.0'

];

uksort($arrQueryParams, 'strcmp');

$strNormalizedParams = [];

foreach($arrQueryParams AS $k => $v)
  $strNormalizedParams[] = $k . '=' . $v;

$strRequestTokenUrl = 'https://api.xing.com/v1/request_token';
$strBaseString      = 'GET&' . rawurlencode($strRequestTokenUrl) . '&' . rawurlencode(implode('&', $strNormalizedParams));

$strKey = rawurlencode($strConsumerSecret) . '&';# . rawurlencode($strConsumerKey);

$strOAuthSignature  = base64_encode(hash_hmac('sha1', $strBaseString, $strKey, true));

$arrQueryParams['oauth_signature'] = $strOAuthSignature;
uksort($arrQueryParams, 'strcmp');

$params = [];

foreach($arrQueryParams AS $k => $v)
  $params[] = $k . '=' . rawurlencode($v);

$strFinalRequest = $strRequestTokenUrl . '?' . implode('&', $params);

$ch = curl_init($strFinalRequest);

curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$mixResponse = curl_exec($ch);

var_dump($mixResponse);

curl_close($ch);

exit;

• I tried it as GET/POST request (Api Docs say both is possible)
• I tried all combinations in creating the $strKey, but I think the current is the correct one
• I checked my system time, I tried different timezones

$strBaseString example:

GET&https%3A%2F%2Fapi.xing.com%2Fv1%2Frequest_token&oauth_callback%3Dhttp%3A%2F%2Fxing.dev%2Fendpoint%3Fhauth.done%3DXING%26oauth_consumer_key%3D12345%26oauth_nonce%3Daadab05f87028514358e5995dc6728fd%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1503318691%26oauth_version%3D1.0

Final Request example:

https://api.xing.com/v1/request_token?oauth_callback=http%3A%2F%2Fxing.dev%2Fendpoint%3Fhauth.done%3DXING&oauth_consumer_key=12345&oauth_nonce=71f83f72b929a87e5fdd6bf1a7fb2511&oauth_signature=56qc3%252FCrMptnUoy6TgsJtsZclfY%253D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1503318773&oauth_version=1.0

The response is always:

{"message":"Invalid OAuth signature","error_name":"INVALID_OAUTH_SIGNATURE"}

The real funny think is though, that the https://github.com/xing/xing-api-samples/tree/master/php XING client works on my machine. I debugged the code and looked how they are generating the signature, dumped out the generated base string, the final string, params, etc. and everything looks like what I do. (Except for the values of oauth_timestamp and oauth_nonce of course)

Also I can reproduce the results on the oauth example: https://oauth.net/core/1.0/#sig_base_example

This makes it even more strange.

Has anyone an idea what I am doing wrong? Thank you and best regards

Answer 1

Found the mistake:

$strBaseString = 'GET&' . rawurlencode($strRequestTokenUrl) . '&' . rawurlencode(implode('&', $strNormalizedParams));

should be

$strBaseString = 'GET&' . rawurlencode($strRequestTokenUrl) . '&' . rawurlencode(http_build_query($arrQueryParams));