Home/ Questions/Q 7634011
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T07:03:21+00:00

I’m working on building a library for a client to integrate with LinkedIn’s API

  • 0

I’m working on building a library for a client to integrate with LinkedIn’s API and am currently working on the OAuth implementation. I am able to request the initial token’s no problem and have the user grant the authentication to my app, but when I try to request the access token with the oauth_token and oauth_verifier (along with the rest of the oauth information that I send with ever request, I get a signature invalid error.

The OAuth settings that I send are as follows:

  • oauth_consumer_key
  • oauth_nonce
  • oauth_timestamp
  • oauth_signature_method
  • oauth_version
  • oauth_token
  • oauth_verifier

I also add in the oauth_signature which is a signed version of all of those keys. I sign the request with the following method:

public void function signRequest(any req){
  var params = Arguments.req.getAllParameters();
  var secret = "#Variables.encoder.parameterEncodedFormat(getConsumer().getConsumerSecret())#&#Variables.encoder.parameterEncodedFormat(Arguments.req.getOAuthSecret())#";
  var base = '';

  params = Variables.encoder.encodedParameter(params, true, true);

  secret = toBinary(toBase64(secret));

  local.mac = createObject('java', 'javax.crypto.Mac').getInstance('HmacSHA1');
  local.key = createObject('java', 'javax.crypto.spec.SecretKeySpec').init(secret, local.mac.getAlgorithm());

  base = "#Arguments.req.getMethod()#&";
  base = base & Variables.encoder.parameterEncodedFormat(Arguments.req.getRequestUrl());
  base = "#base#&#Variables.encoder.parameterEncodedFormat(params)#";

  local.mac.init(local.key);
  local.mac.update(JavaCast('string', base).getBytes());

  Arguments.req.addParameter('oauth_signature', toString(toBase64(mac.doFinal())), true);
}

I know that it works, because I can use the same method to request the initial token (without the oauth_token or oauth_verifier parameters), so I am assuming that it is a problem with the parameters that I am signing. (And yes I am alphabetically ordering the parameters before I sign them)

So is there a parameter that I shouldn’t be including in the signature or another one that I should be?

This is an example of a base string that gets encrypted:

POST&https%3A%2F%2Fwww.linkedin.com%2Fuas%2Foauth%2FaccessToken&oauth_consumer_key%3Dwfs3ema3hi9s%26oauth_nonce%3D1887241367210%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1331326503%26oauth_token%3D8b83142a-d5a6-452e-80ef-6e75b1b0ce18%26oauth_verifier%3D94828%26oauth_version%3D1.0

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Okay, so it was a stupid answer, but the problem was that I didn’t see the oauth_token_secret come in when the user allowed access to my app, so I was still trying to sign the request using only the consumer secret and not both the consumer secret and oauth token secret.

    • 0