So while working through an implementation of OAuth using Django-Piston I encountered the error mentioned here: "Invalid signature": oAuth provider with Django-piston
The solutions posted previously were not working for me so I began digging deeper into both Piston(https://bitbucket.org/jespern/django-piston/overview) and Scribe (https://github.com/fernandezpablo85/scribe-java).
It turns out that when signing a Scribe request with a JSON String payload, only the OAuth parameters are actually signed. This causes Piston to fail signature validation as Piston signs all of the parameters in the payload in addition to the OAuth parameters.
I was able to modify Piston to only sign the OAuth parameters and everything is now working fine. Being a bit new to OAuth I was not sure if the is the correct fix, one alternative would be to modify Scribe to sign the payload content as well (or perhaps append each parameter in the payload rather than attaching it as a String).
Does anyone have insight into the proper way to address this issue?
The OAuth spec doesn’t say anything about payload (not parameters). Some providers do sign it but that’s up to them. Not signing the body contents (xml, json, etc) in Scribe it’s a design decision and it’s not going to change.