Search code examples

signature_invalid Yahoo oAuth

I have been trying to figure this out, and it seems to be a common problem but everything else people are doing doesn't seem to be working.

I am using the Yahoo oAuth API (ultimately trying to import contacts), however once I get to step 4 in this tutorial ( which is the step where I am trying to get the access_token I am getting the error, array(1) { ["oauth_problem"]=> string(17) "signature_invalid" }

on the oauth_signature line under getAccessToken() I have tried separating by &, %26 and %26& none of those have worked. I tried using HMAC-SHA1 instead of PLAINTEXT a separating by & but all of those have yielded the same results. I've also tried urlencode()'ing everything and that didn't work. When I var_dump(\Session::get(\Auth::user()->id . '.oauth_token_secret')) I get what looks like a real oauth_token_secret so I don't think that's the problem.

But anyways, here is the code (sorry the curl() method all over the place)

namespace App\Models\oAuth2;

class Yahoo {
    static public $consumer_key     = 'xxx';
    static public $consumer_secret  = 'xxx';

    static public function getContactsLink() {
        parse_str(self::curl('', 'post', NULL, [
            'oauth_consumer_key'        => self::$consumer_key,
            'oauth_signature'           => self::$consumer_secret . '&',
            'oauth_signature_method'    => 'PLAINTEXT',
            'oauth_callback'            => action('ImportController@yahooContacts'),
            'oauth_nonce'               => uniqid(rand()),
            'oauth_timestamp'           => time(),
            'oauth_version'             => '1.0',
            'xoauth_lang_pref'          => 'en-us'
        ]), $response);

        \Session::put(\Auth::user()->id . '.oauth_token_secret', $response['oauth_token_secret']);
        return $response['xoauth_request_auth_url'];

    static public function getAccessToken() {
        parse_str(self::curl('', 'post', NULL, [
            'oauth_consumer_key'        => self::$consumer_key,
            'oauth_signature'           => self::$consumer_secret . '%26' . \Session::pull(\Auth::user()->id . '.oauth_token_secret'),
            'oauth_signature_method'    => 'PLAINTEXT',
            'oauth_nonce'               => uniqid(rand()),
            'oauth_timestamp'           => time(),
            'oauth_version'             => '1.0',
            'oauth_verifier'            => \Input::get('oauth_verifier'),
            'oauth_token'               => \Input::get('oauth_token')
        ]), $response);


    static function curl($url, $method = 'get', $header = null, $postdata = null, $includeheader=FALSE, $timeout = 60) {
        $s = curl_init();
        curl_setopt($s,CURLOPT_URL, $url);
        if ($header)
            curl_setopt($s,CURLOPT_HTTPHEADER, $header);
        /*if ($this->debug)*/
        curl_setopt($s,CURLOPT_VERBOSE, FALSE);
            curl_setopt($s,CURLOPT_TIMEOUT, $timeout);
        curl_setopt($s,CURLOPT_CONNECTTIMEOUT, $timeout);
        curl_setopt($s,CURLOPT_MAXREDIRS, 3);
        curl_setopt($s,CURLOPT_RETURNTRANSFER, true);
        curl_setopt($s,CURLOPT_FOLLOWLOCATION, 1);
        curl_setopt($s,CURLOPT_COOKIEJAR, 'cookie.txt');
        curl_setopt($s,CURLOPT_COOKIEFILE, 'cookie.txt');
        if(strtolower($method) == 'post')
            curl_setopt($s,CURLOPT_POST, true);
            curl_setopt($s,CURLOPT_POSTFIELDS, $postdata);
        else if(strtolower($method) == 'delete')
            curl_setopt($s,CURLOPT_CUSTOMREQUEST, 'DELETE');
        else if(strtolower($method) == 'put')
            curl_setopt($s,CURLOPT_CUSTOMREQUEST, 'PUT');
            curl_setopt($s,CURLOPT_POSTFIELDS, $postdata);
        curl_setopt($s,CURLOPT_HEADER, $includeheader);
        //curl_setopt($s,CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1');
        curl_setopt($s, CURLOPT_SSL_VERIFYPEER, false);

        $html    = curl_exec($s);
        $status = curl_getinfo($s, CURLINFO_HTTP_CODE);

        return $html;


  • For anyone else with this problem, I figured out my issue. The get_token call has to explicitly be GET not POST (even though the docs say GET & POST).

    This is what my updated getAccessToken() method looks like:

    static public function getAccessToken() {
            '' . self::$consumer_key .'&oauth_signature=' . self::$consumer_secret . '%26' . \Session::pull(\Auth::user()->id . '.oauth_token_secret') . '&oauth_signature_method=PLAINTEXT&oauth_nonce=' . uniqid(rand()) . '&oauth_timestamp=' . time() . '&oauth_version=1.0&oauth_verifier=' . \Input::get('oauth_verifier') . '&oauth_token=' . \Input::get('oauth_token')
        ), $response);

    and that works perfectly.