oauth_problem=signature_invalid about flickrkit HOT 7 CLOSED

Well there are plenty of people using it, and I use it in my apps on the store.

However, I try and take a look early next week just to be sure.

Thanks
David

On 29 Mar 2014, at 18:58, James Bucanek [email protected] wrote:

I’m brand new to using the Flickr API, so I thought the FlickrKit would save me a lot of work. In general, it has, but I’m stuck on a problem and I don’t know what the cause (Flickr or FlickrKit) is.

When I try to authorize for the first time, I get to the authorization link, enter the user ID and password, and submit. The web view goes to a page that asks the user if they want to authorize my app to use their account (I’m requesting “write” privileges). After clicking the “OK, I’ll Authorize It” button, my app gets the callback URL, but it’s always a failure: oauth_problem=signature_invalid.

I tried setting up my app’s ID and secret in the FlickrKitDemo project and trying it there, and I get the exact same results.

So is there something I’m missing or is FlickrKit broken?

—
Reply to this email directly or view it on GitHub.

from flickrkit.

Thanks, David.

I stepped through the code and found the step that fails. When I get redirected to my callback URL, it contains two parameters:

?oauth_token=72157643127809553-74aca1476baea6b6&oauth_verifier=bd7f462708d2c8c2

I then followed it through -completeAuthWithURL:completion:, where is construted the following URL:

http://www.flickr.com/services/oauth/access_token?oauth_verifier=bd7f462708d2c8c2&oauth_timestamp=1396129616.386816&oauth_version=1.0&oauth_consumer_key=f79b94fe97c0d4c01efd1305c886304e&oauth_token=72157643127809553-74aca1476baea6b6&oauth_signature=ihPKk13ivPCTkRyB3Q%2BaTwt9NeE%3D&oauth_nonce=7DB8298C&oauth_signature_method=HMAC-SHA1

This request returns the oauth_problem=signature_invalid. But as far I tell, the signature is being hashed from my app's secret key (which I've tripled checked) and the requested URL, which appears to be exactly what's required.

So as far as I can tell, FlickrKit is doing exactly what it should do. Which means that there’s something wrong with Flickr (which seems equally unlikely) or I’m somehow doing something wrong in my code, although it follows the same general pattern used in FlickrKitDemo (and my build of FlickrKitDemo gets the same error).

At this point, I’m left wondering if I’m using the wrong app secret value—although I copied and pasted it directly from my “App by You” page—OR maybe this is not the value I’m supposed to supply in -initializeWithAPIKey:sharedSecret:???

from flickrkit.

It's not unlikely the flick API has an issue. Sometimes it does.

You can ask on the yahoo flick dev user group.

David Casserly
www.davidjc.com

On 29 Mar 2014, at 22:37, James Bucanek [email protected] wrote:

Thanks, David.

I stepped through the code and found the step that fails. When I get redirected to my callback URL, it contains two parameters:

?oauth_token=72157643127809553-74aca1476baea6b6&oauth_verifier=bd7f462708d2c8c2
I then followed it through -completeAuthWithURL:completion:, where is construted the following URL:

http://www.flickr.com/services/oauth/access_token?oauth_verifier=bd7f462708d2c8c2&oauth_timestamp=1396129616.386816&oauth_version=1.0&oauth_consumer_key=f79b94fe97c0d4c01efd1305c886304e&oauth_token=72157643127809553-74aca1476baea6b6&oauth_signature=ihPKk13ivPCTkRyB3Q%2BaTwt9NeE%3D&oauth_nonce=7DB8298C&oauth_signature_method=HMAC-SHA1
This request returns the oauth_problem=signature_invalid. But as far I tell, the signature is being hashed from my app's secret key (which I've tripled checked) and the requested URL, which appears to be exactly what's required.

So as far as I can tell, FlickrKit is doing exactly what it should do. Which means that there’s something wrong with Flickr (which seems equally unlikely) or I’m somehow doing something wrong in my code, although it follows the same general pattern used in FlickrKitDemo (and my build of FlickrKitDemo gets the same error).

At this point, I’m left wondering if I’m using the wrong app secret value—although I copied and pasted it directly from my “App by You” page—OR maybe this is not the value I’m supposed to supply in -initializeWithAPIKey:sharedSecret:???

—
Reply to this email directly or view it on GitHub.

from flickrkit.

I'm running into the same issue as James. To exclude any problems with my own code, I just copy/pasted my Flickr API key and secret in the FlickrKitDemo app.

from flickrkit.

I also posted this issue to the Flickr dev list. So far the only suggestion is that I’m not signing the authorization request with both my app’s secret and the oauth_token_secret returned by the token request. This morning I carefully stepped through the code in the framework and confirmed that this isn’t the case:

1. The initial request token URL is sent, signed using just the app secret.
2. That request replies with a oath_token_secret value, which is saved by FlickrKit.
3. The next signed request creates a new signature string that's a combination of my app's secret and the oauth_token_secret, in the form "<app_secret>&<oauth_token_secret>".
4. That signed request returns a signature_invalid error.

I'm beginning to wonder if the problem is either a recent change in Flickr’s API that broke FlickrKit, or a recent change to Flickr’s API that broke the authorization of new apps?

from flickrkit.

cmejia9 just left a message on the Flickr dev list. They said that Flickr has been having a problem with authorizing some accounts since last Tuesday. It’s not all accounts. They said in testing 6 different accounts, 5 of them worked OK and one failed.

They also said that using the https: (instead of the http:) to request the access token will skirt around the problem. I hacked the -beginAuthWithCallbackURL:permission:completion method to send an “https:” request instead, and everything works now.

The post led me to believe that Flickr is preparing to switch over to https as the preferred scheme, and changes related to that upgrade have broken the existing http method. I’ve asked what the status is, and can I use https now, or should I wait until the http bug is fixed. If you want to follow the discussion, you’ll find it here: https://groups.yahoo.com/neo/groups/yws-flickr/conversations/topics/8666

from flickrkit.

I can confirm that changing some http:// schemes to https:// in the FlickrKit code fixes the issue.

from flickrkit.