Unable to generate Tumblr API Request Token in PHP

Question

First, a note: My host does not have the PECL OAUTH or HTTP extensions installed.

The purpose of this: I'm hoping to create an interface to easily follow and unfollow a given list of Tumblr names.

Problem: Can't get past the authentication step.

Code:

$request_url = 'http://www.tumblr.com/oauth/request_token';
$consumer_key = COSUMER_KEY;
$consumer_secret = CONSUMER_SECRET;
$oauth_key = urlencode_rfc3986($consumer_secret) . '&';
$time = time();
$nonce = md5(microtime() . mt_rand());
$callback_url = 'http://krisallengallery.com/easyfollowr/index.php';
$params = array('oauth_consumer_key' => $consumer_key,
                'oauth_signature_method' => 'HMAC-SHA1',
                'oauth_timestamp' => $time,
                'oauth_nonce' => $nonce,
                'oauth_version' => '1.0a',
                'oauth_callback' => $callback_url);             
uksort($params, 'strcmp');

$oauth_header = 'Authorization: OAuth ';

$raw_signature = 'GET&' . urlencode_rfc3986($request_url) . '&';
$raw_suffix = array();
foreach($params as $key => $param)
{
    $raw_suffix[] = $key . '=' . $param;
}
$raw_signature .= urlencode_rfc3986(implode('&', $raw_suffix));
$oauth_signature = urlencode_rfc3986(base64_encode(hash_hmac('sha1', $raw_signature, $oauth_key, true)));

$params['oauth_signature'] = $oauth_signature;
uksort($params, 'strcmp');

$raw_head = array();
foreach($params as $key => $param)
{
    $raw_head[] = $key . '="' . $param . '"';
}
$oauth_header .= implode(',', $raw_head);

$session = curl_init($request_url);
curl_setopt($session, CURLOPT_RETURNTRANSFER, true);
curl_setopt($session, CURLOPT_HEADER, true);
curl_setopt($session, CURLOPT_HTTPHEADER, array($oauth_header));
$response = curl_exec($session);
curl_close($session);
echo $response;

function urlencode_rfc3986($input)
{
    return str_replace('+', ' ', str_replace('%7E', '~', rawurlencode($input)));
}

Any ideas of where I'm going wrong?

ETA: Made some modifications. It's still not working, but the error I'm getting now is oauth_signature does not match expected value

Answer 1

Exclude the 'oauth_callback' => $callback_url from the $params array and its all good. After excluding it server returns a 200 code:

HTTP/1.1 200 OK Server: nginx Date: Fri, 04 Oct 2013 19:52:51 GMT Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked Connection: close Set-Cookie: tmgioct=524f1c93c799700263374730; expires=Mon, 02-Oct-2023 19:52:51 GMT; path=/; httponly P3P: CP="ALL ADM DEV PSAi COM OUR OTRo STP IND ONL" oauth_token=smKHczH7Mt1MTGilqERZ28oNjJ4OP31lVtBHYTRAY8BH3f73hc&oauth_token_secret=4AxBTP8YannLZDdvR9IiTJTJIEKXocPJEHHSDd5TKQOrE6kr0N&oauth_callback_confirmed=true

Answer 2

I'm not entirely sure what I was doing wrong, but fortunately, I found fangel's OAuth script on GitHub that implements everything I need to generate tokens. It looks like I was on the the right track, though.

ETA: Furthermore, there is jacobbudin's TumblrOAuth library on GitHub, which uses fangel's script and some forked then updated code, that handles all the Tumblr authentication for a user for your application.

I'm sure I'll be back with more questions when I start trying to build my Followr script.

Answer 3

I can't test it so I'll give you a couple of things to try and see if there is any improvement.

'$oauth_timestamp' in your $params array should actually be 'oauth_timestamp' (no $ sign). Also, when generating the query string, you shouldn't be enclosing the values in quotes.

You should change the foreach($params) loop to this instead:

foreach($params as $key => $param)
{
    $raw_signature .= $key . '=' . urlencode($param) . '&';
    $oauth_header  .= $key . '=' . $param . ',';
}

$raw_signature = rtrim($raw_signature, '&');
$oauth_signature = base64_encode(hash_hmac('sha1', $raw_signature, $oauth_key));
$oauth_header .= 'oauth_signature=' . $oauth_signature;

Also, I think you should be using a GET request instead of POST for cURL.

Hope that helps.