Hi,

We were trying to get the authenication working... but still no luck! I saw many posts here on the same subject but still not working for us.

We are making a simple signed makeRequest() with GET,

 These are the params we get on the server,

//---------------------------------------------------------------------

Array
(
    [oauth_consumer_key] => http://www.myspace.com/355154726
    [oauth_nonce] => 633411724215468750
    [oauth_signature] => ea+PBmFyv+kdDlsFJHL0b51/ApA=
    [oauth_signature_method] => HMAC-SHA1
    [oauth_timestamp] => 1205575621
    [oauth_token] =>
    [oauth_version] => 1.0
    [opensocial_owner_id] => 115753438
    [opensocial_viewer_id] => 115753438
)

//---------------------------------------------------------------------

 

Here is the PHP code to validate the request,

//---------------------------------------------------------------------

$secret = '16ef670a1ead48838f0ea7dd74e2efa2';
$consumer = 'http://www.myspace.com/355154726';

foreach( $_GET as $key => $val )
        if( !isset( $_POST[ $key ] ) )
                    $_POST[ $key ] = $val;

$sig = OAuthRequest::from_request()->build_signature(
                            new OAuthSignatureMethod_HMAC_SHA1(),
                            new OAuthConsumer( $consumer, $secret),
                            new OAuthToken(null,null)
                   );       
if($sig == $_GET['oauth_signature']){
    echo 'Authenticated';
}else{
    echo 'Authenication failed';
}

//---------------------------------------------------------------------

The signature generated by the PHP side is,

6y1y3iKmwiemfIxo872xnXYh5vY=

This is *same as the one which is generated by the OAuth testing tool. But the signature in the params is different.

ea+PBmFyv+kdDlsFJHL0b51/ApA=

 

The base string generated (both php and Oauth tool) was,

GET&http%3A%2F%2Fdev2.actonme.com%2Fmyspace%2Fphotoattack%2F0.9.2%2Findex.php&oauth_consumer_key%3Dhttp%253A%252F%252Fwww.myspace.com%252F355154726%26oauth_nonce%3D633411724215468750%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1205575621%26oauth_token%3D%26oauth_version%3D1.0%26opensocial_owner_id%3D115753438%26opensocial_viewer_id%3D115753438
 

I know many of you get it working... please help guys ;)

~ Jim

 

 

I've been going over this for a couple of days now, and suddenly something occured to me.

I'm not sure about the inner mechanics of the PHP library, but I'm going to take a stab in the dark that it isn't filtering out the 'oauth_signature' when it's building the basestring. You'll have to do that yourself when you move the $_GET variables over to $_POST -- just code it to exclude $_GET['oauth_signature'] . I'd do an example here but my PHP is really rusty.

Hello,

The same problem here. The base string and computed signature match exactly with the values I get with the OAuth Tool (EXACTLY THE SAME!!!!!!!!). As a side note, I am filtering the oauth_signature to generate the base string (otherwise my computed hash wouldn't match the OAuth Tool's one).
I've also played with the tool (adding and removing params) to see if I could get the same wrong oauth_signature that I'm currently receiving on my side (at least to know if the problem was that the OAuth tool and makeRequest used different params to calculate the signature by mistake). I didn't succeed with that.
I would say that there's some kind of bug on MySpace *** that only affects certain apps *** and that is causing that whenever we use makeRequest, the signature is being calculated in the wrong way. Maybe the consumer secret they're using is not the right one, who knows... I'm totally lost with this now. If the base string and signature that I generate didn't match the ones I get with the tool it would be obvious that I'm doing something wrong, but that's not the case.
In my case, I'm doing a POST request. Here are the important values (the ones that can suppose a problem) I've set on OAuth Tool:

Method: POST
Form Encoded Parameters: a=10&connID=1205709119125&fpid=0&length=12&opensocial_owner_id=325721767&opensocial_viewer_id=325721767&p=11
Server: http://www.myserver.com
Resource URL: Controller
Consumer Key: http://www.myspace.com/my_url
Consumer Secret: the one listed under my app's details

To do my tests, I print to my app's log all the parameters I receive on a request (all of them, thus including oauth_*, opensocial_* and other params like "connID" that are also being added by MySpace to the request). I also print the base string I generate and the signature I compute. Then I go to the OAuth Tool and paste the right oauth_timestamp, oauth_nonce.... to the appropiate fields. Then I just can keep frustrated after seeing that everything match with what I'm calculating except that the oauth_signature value I received is not correct.
If someone at MySpace can take a look into this, my appId is 103489. I would really appreciate any hint on what's happening...

Roger

It's me again. I was thinking on something that could be happening...
What if MySpace was using some extra params to calculate the signature, but they forgot to include those in the request finally sent to our app? If those extra params exist or not depending on the app (only MySpace knows that) it could explain why some people have OAUth working and some others don't.  Just a hypothesis....

Roger 

*Edit*** Nope, wrong on that.

I think you're half right -- Myspace is generating a different basestring than what you see in the OAuthTool, but in almost all the cases I've seen, the inability to match the signatures is a result of people doing something wrong when they create their own basestrings. There have been a couple of errors on MySpace's side, to be sure (the 'not encoding' of certain characters that should be encoded, and the wrong encoding of '%20', which becomes an encoded '+' instead of a double encoded space), but they are universal; they affect everyone. I think you need to pin down encoding first before you throw the blame on "mystery" parameters.

 Jeremy,

Thanks for replying. Well, in my case (as you can see on the example request I posted) there were no params with spaces, so it was not an encoding problem. Anyway, I finally found the problem, so here I'll explain it in case it can help someone else...

I have my own JSON js library loaded on our canvas page. Because of the JSON library we're using, I can't call the gadgets.io.encodeValues(postdata) function to encode post parameters because it also ads the JSON hooks of an object to the fields object that this function receives, as extra params. Thus, I implemented my own function and did the mistake of generating my post string starting with an "&". Basically, the string was generated concatenating "&param=value" encoded pairs and I forgot to remove the first & after that process. The thing is that MySpace was considering that first & somewhere at the time of generating the signature. However, the params I received at my end were the ones I was expecting (no extra null param or something regarding the extra &). Therefore, the signature I was generating at my end didn't match the one sent by MySpace. The OAUth tool didn't help me much, as the values I was providing were those generated according to the params I was receiving, without considering the phantom parameter. So at the end, Jeremy, I was right: there was a "mystery" parameter. I know I know... it was added by myself, though! But anyway.... MySpace shouldn't be considering that extra & to generate the signature and then send only the rest of the parameters to our server.

Anyway, I'm happy to start playing with the encoding issues now :)

Roger.

 I noticed that your $consumer variable points to myspace.com, I believe it should point to the location of your PHP server; for example, www.yourserver.com/myspace/myproject/

I use PHP and was able to authenticate, the only difference being my $consumer variable.

- Mark

 I outlined a hack I had to use to get OAuth working on my end in php here http://developer.myspace.com/Community/forums/p/804/5859.aspx#5859 incase it's the same issue

I'm having problems validating also, and would really like to know something - My base strings match up exactly when using the Oauth Tool, or at least they appear to. Is it possible that, although they are showing the same characters, they could still be different through character type?

Other than that, I have no clue why it's not validating. I've been using code that seems to work for most people here:

$this_url = strtolower('http://www.mydomain.com/index.php');
$myspace_secret="xxxxx"; //your myspace secret key    

$opensocial_viewer_id=$_GET[opensocial_viewer_id];
$oauth_signature=$_GET[oauth_signature];    
 
// check the sigs and make sure its  the real deal
$remote_signature = $_GET['oauth_signature'];
unset($_GET['oauth_signature']);
ksort($_GET);
$url_me=urlencode($this_url);
$g_me=urlencode(http_build_query($_GET));
$base_string = "GET&$url_me&$g_me";
$secret = $myspace_secret."&";
$local_signature = base64_encode(hash_hmac("sha1", $base_string, $secret, TRUE));

if ($remote_signature == "$local_signature"){
  echo 'success';
  }

 I've tried several different codes also, still with no luck. Anyone have any ideas?

 add the code that I pasted above and it should work... the $_GET[''] = ''; bit

Drums:

 add the code that I pasted above and it should work... the $_GET[''] = ''; bit

Thanks for your reply, but I actually did add that too and still no luck.

Also, it may help to know that my local signature always looks something like this:

peAkjKCO+0ipeD+/tvvMUMiG0XI=

It always has addition signs in it and an equal sign at the end, while the remote (correct) signature looks like this:

2Q94Xbl/OSVuzUBH33UCF55onUw

Everytime it's been like this, any more ideas? Thanks! 

I got it! What was screwing it up was the & needed to be '&' in the code. The base strings looked exactly the same, even though they weren't because of this. Also, the equal sign is just appended at the end of the sig, for which you append one on the remote sig before comparision - simple.

Hope this helps for anyone else! 

Here's what I'm using which was based on something someone else posted a while ago. I wish I could remember who it was.

It pretty much works unless there's strange charaters in the query string like punctuation marks.

Note that it only requires the secret key. Not the consumer key or any tokens. I've been thinking of getting a better version using OAuth libraries, but its good enough for now.

function validateSig() {
 global $appsecret, $_GET, $_SERVER;
 $isvalid = false;
  $remote_signature = $_GET['oauth_signature'];
  $url = strtolower($_SERVER["SCRIPT_URI"]);
  unset($_GET['oauth_signature']);
  ksort($_GET);
  $base_string = 'GET&'.urlencode($url).'&'.urlencode(http_build_query($_GET));
  $local_signature = base64_encode(hash_hmac("sha1", $base_string, $appsecret.'&', TRUE));
  if ($remote_signature == $local_signature) $isvalid = true;
 return $isvalid;
}

I have very stupid question :)  I haven't at my web hosting $_SERVER["SCRIPT_URI"], what else variable I can to use?