Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > Partner Program >

OAuth refresh token issues (failed to validate signature)

Started by Travelbank Developer -   in Partner Program

I am trying to refresh token for our 'partner' application.

I used the following steps.

- Generated private/public keypair using the steps mentioned in https://developer.xero.com/documentation/api-guides/create-publicprivate-key
- Uploaded the public cert generated above to Xero App management console..

- Created a signature using the node 'oauth' library with
extra_params = {
oauth_session_handle: 'XXXXXXXXXX'
};


and appended this signature to the request as query param, which is also signed using the same private_key

We are sending a GET request,

GET https://api.xero.com/oauth/AccessToken?oauth_session_handle=EK7EWZBLAPC6FXI3JNPQ

The signature is prepared using the following params:
{ "oauth_timestamp": this._getTimestamp(),
"oauth_nonce": 'xkcdxkcdxkcdxkcd',
"oauth_version": '1.0',
"oauth_signature_method": 'RSA-SHA1',
"oauth_consumer_key": 'APP_CONSUMER_KEY',
'oauth_session_handle', 'EK7EWZBLAPC6FXI3JNPQ',
'oauth_token': 'ACCESS_TOKEN_RECEIVED_AFTER_USER_AUTHORIZATION'
}

which results in the following authorization header.
Authorization-Header:
oauth_consumer_key="GHCMAXTF6OFMG1SN95KN8ARBOOC0ZX",oauth_nonce="8EGzeacxQr5rhmfkPQyIip0b9WlXCkGV",oauth_session_handle="EK7EWZBLAPC6FXI3JNPQ",oauth_signature_method="RSA-SHA1",oauth_timestamp="1487115804",oauth_token="E5FZAATM7HKWXZ3C1DSC2SH8BYQNEB",oauth_version="1.0",oauth_signature="Y%2FF1bs%2F595XCDvt2y4Sx6%2BucQTgdWbX%2BHQTXpkDQoIHr9siRs648ZzELLzbz4LCU51MOslkC3DZlnA93nZg%2FJyPVdl14V41am9HjKawzCxvAXviaF%2BXAclt2TaYLo3o66Ai0h%2BAKzYyJfOSHvdese3WB72Qgux06kOdAxF1cfvI%3D"


The error that we receieve is again { statusCode: 401,
data: 'oauth_problem=signature_invalid&oauth_problem_advice=Failed%20to%20validate%20signature' }

We are running it locally. We are able to get accounts, post contacts, and post invoices as well, but it fails on refeshing tokens.

Is there anything else that we can try to know more about the error?

Are we missing some parameter, looks like we are not passing any secret token. Is it because of the 'RSA-SHA1' signing?

Thanks!. Any help is appreciated. It is very hard to proceed further without any detailed message from the service provider?