I am using PHP to do an OAuth transaction with Google (logging in to Picasa) and I can't seem to get my code to generate the same key as Google does, and Google complains of an invalid signature. I would think it were a bad hashing algorithm except that when I try it on the sample base string at OAuth.net, it gets the right signature.
http://oauth.net/core/1.0/#anchor30 When I take the base string and secret on this page and run it through PHP's hash_hmac() function, I get the result expected. So I know that the parameters are being sent in correctly (e.g., the correct level of escaping, correct encoding, etc.) I go to Google's OAuth Playground, and enter my consumer key, consumer secret and check "Picasa Web" as the scope, and Google performs a request, which returns a valid token. So I know the key, secret and scope are correct. When I copy the Base String that Google claims to have used, and I sign it with my secret in PHP, however, I come up with a signature completely different from the one in the request that Google says they used in the playground. Anyone have any ideas? Here's all the pertinent information, I think (by the way, I'm supplying the real consumer secret, because this account was created solely for the purpose of testing oauth encoding and will be deleted as soon as I figure it out...) In Google's OAuth Playground, I entered: Scope: Picasa Web Consumer Key: www.partycitytest.invitations.com Consumer Secret: bo/HblyfRzhMleaDE75NVVD+ Press "Request Token". The base string it says it used is: GET&https%3A%2F%2Fwww.google.com%2Faccounts %2FOAuthGetRequestToken&oauth_callback%3Dhttp%253A%252F %252Fgooglecodesamples.com%252Foauth_playground%252Findex.php %26oauth_consumer_key%3Dwww.partycitytest.invitations.com%26oauth_nonce %3D8bb6af9b1a8673eb53f7bf388cdc61db%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1302544688%26oauth_version%3D1.0%26scope %3Dhttps%253A%252F%252Fpicasaweb.google.com%252Fdata%252F The request was: GET /accounts/OAuthGetRequestToken?scope=https%3A%2F %2Fpicasaweb.google.com%2Fdata%2F HTTP/1.1 Host: www.google.com Accept: */* Authorization: OAuth oauth_version="1.0", oauth_nonce="8bb6af9b1a8673eb53f7bf388cdc61db", oauth_timestamp="1302544688", oauth_consumer_key="www.partycitytest.invitations.com", oauth_callback="http%3A%2F%2Fgooglecodesamples.com%2Foauth_playground %2Findex.php", oauth_signature_method="HMAC-SHA1", oauth_signature="8NGtoVg1Yejl%2BSubkCzeFN7aKas%3D" So doesn't it stand to reason that the following PHP code should produce "8NGtoVg1Yejl%2BSubkCzeFN7aKas%3D"? <?php $data = "GET&https%3A%2F%2Fwww.google.com%2Faccounts %2FOAuthGetRequestToken&oauth_callback%3Dhttp%253A%252F %252Fgooglecodesamples.com%252Foauth_playground%252Findex.php %26oauth_consumer_key%3Dwww.partycitytest.invitations.com%26oauth_nonce %3D8bb6af9b1a8673eb53f7bf388cdc61db%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1302544688%26oauth_version%3D1.0%26scope %3Dhttps%253A%252F%252Fpicasaweb.google.com%252Fdata%252F"; $key = "bo/HblyfRzhMleaDE75NVVD+"; print("My Code: ".urlencode(base64_encode(hash_hmac("SHA1" , $data , $key , true)))."<br>\n"); print("Google: 8NGtoVg1Yejl%2BSubkCzeFN7aKas%3D\n"); ?> But it doesn't; it produces "x6OWzrYCslL916dk5LGREexPktE%3D". I've tried urlencoding the key, adding newlines in various places, every permutation I can think of, but still can't reproduce what Google got. Anyone have any ideas what I'm overlooking? -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
