CODEWITHSUNDEEP
oauthoauth-1.0a
Rox
Rox

Reputation: 2917

Cannot authorize me using OAuth 1.0a, failing when requesting an accesToken

I am trying to authorize me on service using OAuth 1.0a. I can do the requestToken and authorize steps but when I call the accessToken URL I get a 401 Unauthorized response back with the following message:
OAuth Verification Failed: Can't exchange request token "THE_TOKEN" for access token. No such token or not authorized%

I have masked the credentials and URLs.

Request token URL: https://url-to-the-service.com/oauth/requestToken
Authorize token URL: https://url-to-the-service.com/oauth/authorize
Access token URL: https://url-to-the-service.com/oauth/accessToken

The credentials I have gotten from the service is the following:
consumer_key = CONSUMER_KEY
consumer_secret = CONSUMER_SECRET

STEP 1 - request a temporary token

curl -v -X GET --url "https://url-to-the-service.com/oauth/requestToken?oauth_version=1.0& \
oauth_timestamp=1516721112& \
oauth_nonce=25794& \
oauth_signature_method=PLAINTEXT& \
oauth_consumer_key=CONSUMER_KEY& \
oauth_signature=CONSUMER_SECRET%26"

The service then responds with:

oauth_callback_confirmed=true&oauth_token=THE_TOKEN&oauth_token_secret=THE_TOKEN_SECRET&xoauth_token_ttl=3600

STEP 2 - authorize me with the temporary token and get a verifier

I then enter this into my browser:

https://url-to-the-service.com/oauth/authorize?oauth_token=THE_TOKEN

...and it prompts me to log in to the service. When I press the authorize button after logging in I am forwarded to this URL:

https://url-to-the-service.com/oauth/authorize?yes=1&oauthVerifier=123456789&oauth_token=THE_TOKEN

STEP 3 - request access token

Finally, I make a request to https://url-to-the-service.com/oauth/accessToken by adding the oauth_verifier and the token secret to the oauth_signature:

curl -v -X GET --url "https://url-to-the-service.com/oauth/accessToken?oauth_version=1.0& \ 
oauth_timestamp=1516730938& \
oauth_nonce=30888& \
oauth_signature_method=PLAINTEXT& \
oauth_consumer_key=CONSUMER_KEY& \
oauth_signature=CONSUMER_SECRET%26THE_TOKEN_SECRET& \
oauth_token=THE_TOKEN& \
oauth_verifier=123456789"

But the service responds with:
OAuth Verification Failed: Can't exchange request token "THE_TOKEN" for access token. No such token or not authorized%

So what am I missing?

Upvotes: 2

Views: 1151

Answers (2)

Wilhelm Liao
Wilhelm Liao

Reputation: 829

According to rfc5849 3.2 Verifying Requests

The server SHOULD return a 401 (Unauthorized) status code when receiving a request with invalid client credentials, an invalid or expired token, an invalid signature, or an invalid or used nonce.

I am not sure the value xoauth_token_ttl=3600 from the step 1 is minutes or seconds. If it is seconds, the first request at 1516721112 and the access token request at 1516730938 has expired. (1516730938 - 1516721112 = 9826)

Upvotes: 1

varunsangal
varunsangal

Reputation: 131

It looks like you are forcing a GET request in your cURL request. Try a POST request like below:

curl -v -X POST --url "https://url-to-the-service.com/oauth/accessToken?
oauth_version=1.0& \ 
oauth_timestamp=1516730938& \
oauth_nonce=30888& \
oauth_signature_method=PLAINTEXT& \
oauth_consumer_key=CONSUMER_KEY& \
oauth_signature=CONSUMER_SECRET%26THE_TOKEN_SECRET& \
oauth_token=THE_TOKEN& \
oauth_verifier=123456789"

Refer to the OAuth1 documentation. Quoting here for reference:

Token Exchange

The final step in authorization is to exchange the temporary credentials (request token) for long-lived credentials (also known as an Access Token). This request also destroys the temporary credentials.

The temporary credentials are converted to long-lived credentials by sending a POST request to the token request endpoint (typically /oauth1/access). This request must be signed by the temporary credentials, and must include the oauth_verifier token from the authorization step.

Upvotes: 0

Related Questions