Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > API Authentication >

Invalid Signature Problems

Started by Nik Wakelin -   in API Authentication

I'm trying to request an Access Token (i.e POST access token), from Objective-C, which there are no code samples for. I'm using AFOAuth1Client (https://github.com/AFNetworking/AFOAuth1Client). This is what the raw request/response looks like (note that I've since regenerated the consumer key/secret, I needed to include the ones I was using as the problem is signature generation).

This code is provided by the developer community - Xero does not warrant it in any way

So Xero is saying that the signature I'm generating is invalid :(

But when I generate the signature locally, using the following ruby code:

This code is provided by the developer community - Xero does not warrant it in any way

I get the exact same OAuth signature string as the one in the Authorization header above.

I can't think why the AccessToken request isn't working when the RequestToken one is - am I missing some parameters or something else that Xero expects? Or, (more likely) just doing something stupid?

Looking at a successful request from another library, it seems the only differences are:

* Extra headers (Accept-Encoding and the like);
* The inclusion of a POST body and;
* The inclusion of an oauth_body_hash parameter in the Authorization header (in this case just the Base64'd HMAC-SHA1 of an empty string)

Removing the post body doesn't fix the signature issue, nor does including the oauth_body_hash. I'm left with the extra headers. A few of them seem to be added by default by Apple so it's somewhat of a mission to remove them, but once they're removed I should have the exact request that's being sent by the other library.

Nik Wakelin  

Hey Nik

I wouldn't waste any time on the headers, I don't think they are the issue.

Am I right in reading that you can do a GET RequestToken, but POST is where you are having difficulty?

If so I would zone in on the POST body - it should be included and be part of the signature AFAIK - did you get any further since your update yesterday?


Ronan Quirke (Community Manager)  

Hey Ronan,

Thanks for checking up :)

You're completely correct on the POST body point. It looks like the library is falling foul of this part of the spec.

Basically the spec says to include EITHER the parameters in the Authorization: header, or as part of the POST body, in that preference order.

So, if I don't send anything in the POST body it works like a charm! Yay!

By the way, it seems like the API doesn't mind if you do a GET or a POST for the token requests (the PHP sample code uses GET for both Request and Access tokens). The spec says "POST" is preferred for both, so I'm doing that (and that's what the Ruby OAuth library does).

I'll hopefully get a chance to clean up and release some Objective-C sample code in the next few weeks, so let me know if you'd like to use that.

Thanks again for your help!



Nik Wakelin  

I've made a pull request for this bug on github

Nik Wakelin