OAuth1 reject_token 401 unauthorized

Question

Get Access Token request of OAuth1.0 only work once for Magento1.9 after being redirected back from Authorization URL. Next time when requesting for Access Token I get reject_token. What I noticed there is difference in signature of both objects' signature.

Request 1(successful):

OAuth::Consumer.new(consumer_data)
OAuth::RequestToken.from_hash(some_hash)
request_token.get_access_token(oauth_verifier: 'asdfasdagbadbv')

with signature having

oauth_nonce=\"iIHmN7obLeONSitOxFFZQI71v0k4mAsEFLFen0Lw\", 
oauth_signature=\"lwj0n1AK3VJLdaXHIWEOFlYp5qc%3D\"

Request 2(unsuccessful):

OAuth::Consumer.new(consumer_data)
OAuth::RequestToken.from_hash(some_hash)
request_token.get_access_token(oauth_verifier: 'asdfasdagbadbv')

with signature having

oauth_nonce=\"KciY4tiiPDu1u029Nbdu1C325svchfESTYV1l8mvw\", 
oauth_signature=\"KciY4tiiPt5Du1u029Nbdu1CzCHzvc%3D\"

This may be or may not be the issue but this is the only difference I found so far in both requests. Please someone help me in updating oauth_nonce and signature or devise some other solution.

Answer 1

The problem is in the second line.

 request_token.get_access_token(oauth_verifier: 'asdfasdfa')

According to Auth documentation request token should be used one time. Request token expires once we use them. You are using expired request token in the second call which causes reject_token 401 unauthorized.

Solution

Actually, request tokens are used to generate Access Token. Access Tokens can be used multiple times. So what you need is to store Access Token somewhere, generated in first request_token.get_access_token(oauth_verifier: 'asdfasdfa') line. Then you can use saved access token in the reset of your API calls. The syntax of using access token is the following:

@consumer = OAuth::Consumer.new(...)
@token = OAuth::Token.new('ACCESS_TOKEN', 'ACCESS_TOKEN_SECRET') // saved access token and secret here
@consumer.request(:post, '/people', @token, {}, @person.to_xml, { 'Content-Type' => 'application/xml' })