Please provide PHP code that validates oauth_signature with the OAuth Consumer Secret. If a library needs to be included, then please provide the URL where the library can be downloaded, and please indicate any manual changes that must be made to the library for it to work with the MDP’s current configuration.

Please only provide code that has been recently tested. I have tried every code sample in these forums that relate to this issue, and none of them work.

If I'd read this post a week ago I'd have agreed with you, but I've managed to get OAuth working successfully with my own code which is loosely based upon some of the code snippets I've found on the forums here (the main modifications I've made are either to make the code more readable or to help fit it into the framework I'm building).

I have found that you need to worry more about making sure the variables (if any) that you send over with a makeRequest() call are encoded in the same way as OAuth treats them. For example my validation code works, but currently it fails if you send over a string variable that has any non alphanumeric characters (e.g. space, !"£$% ...).  I've got a way to fix that but the point is that the error is in my code elsewhere, not in the OAuth validation function.

I've posted my own working code below but I'm still working on that at the moment to remove the problem I noted above with non-alphanumeric characters and I still have to test it when using GET requests (in theory it *should* work but i've not tested that yet). It works in most cases, but I wouldn't say it's ready for use in the real world so I wouldn't suggest using it for anything you need to put live quickly. Look at it more like something to play about with and base your own code on.

Chris 

ps. for reference my code is based on the code posted by Nick & TK in this thread: http://developer.myspace.com/Community/forums/t/1087.aspx 

 ############

 function checkSig($targetURL, $consumerKey, $secretKey, $mode = "POST") {

    if(preg_match('/\?=&/', $_SERVER['REQUEST_URI'])) {
        $_GET[''] = '';
    }

    if(isset($_GET['oauth_signature'])) {
        $checkSig = $_GET['oauth_signature'];
        unset($_GET['oauth_signature']);
    }
    
    foreach($_GET as $key => $value) {
        $_POST[$key] = $value;
    }

    if(strcmp($mode, "POST") == 0) {
        $vars = $_POST;        
    } else {
        $vars = $_GET;
    }

    ksort($vars);
    $getString = "";
    $firstVar = TRUE;
    $vars["oauth_consumer_key"]= urlencode($vars["oauth_consumer_key"]);
    foreach($vars as $key => $value) {
        if($firstVar == TRUE) {
            $firstVar = FALSE;
            $getString .= urlencode($key) . urlencode("=") . urlencode($value);
        } else {
            $getString .= urlencode("&") . urlencode($key) . urlencode("=") . urlencode($value);
        }    
    }

    $text = $mode . '&' . urlencode($targetURL) . '&' . $getString; 
    $key = $secretKey . "&" . "";
    $sig = base64_encode(hash_hmac("sha1", $text, $key, TRUE));
    if(strcmp($sig, $checkSig) == 0) {
        return TRUE;
    } else {
        return FALSE;
    }
}

Chris, thank you for your reply, but unfortunately your code did not work.

I am trying to use the Install Callback URL. When my App is installed, my PHP script is called, but none of the code posted on these forums will correctly validate the oauth_signature with the OAuth Consumer Secret.

It appears that apps are using this mechanism to credit users for referrals. They attach a "userid_to_credit" parameter to the end of their install URL. I assume that the "userid_to_credit" is passed to the Install Callback URL.

Is there any documentation which describes how to accomplish this (with an example), or is this a well-kept secret?

 If the code I posted doesn't work then I suspect it's linked to one or more of the variables being passed into the script at install-time. I know that for a regular makeRequest call you have to strip out the "opensocial_signature" parameter to make the signature validate so perhaps there are more parameters that need to be stripped out. I would suggest getting a list of all the variables that are being passed into the php script (var_dump etc...) and then try different combinations of variables until something works.

 As for documentation about all of this, pretty much everything I've learned so far about makeRequest has been either through trial & error, or from forum threads.

Chris,

Your reply did not answer my question.

With all due respect, please only reply to this post if you can provide a tested example that actually works. Otherwise, the MDP team thinks that this issue has been resolved, which it has not.

This issue is still open.

This chunk of PHP (originally posted by CrushSpot) verifies callback urls for me:

<?php
    $remote_signature = $_GET['oauth_signature'];
    $url = strtolower('http://myserver.net/uri_to_this_script.php');
    unset($_GET['oauth_signature']);
    ksort($_GET);
    $base_string = 'GET&'.
                   urlencode($url).'&'.
                   urlencode(http_build_query($_GET));
    $secret = 'security_key'.'&';

    $local_signature = base64_encode(hash_hmac("sha1", $base_string, $secret, TRUE));
   
    if ($remote_signature == $local_signature) {
        $fh = fopen("cb_output.txt", 'w');
        fwrite($fh, "Authenticationed!\n");
        fclose($fh);
    } else {
        $fh = fopen("cb_output.txt", 'w');
        fwrite($fh, "Authentication FAILED!\n");
        fwrite($fh, "Remote Sig: ".$remote_signature."\n");
        fwrite($fh, "Local Sig: ".$local_signature."\n");
        fclose($fh);
    }
?>

What it does is write to a file, 'cb_output.txt', whether or not the ping authenticated. Obviously, that's not going to work long term, but it does for a simple test.

Two notes:
$url needs to be set to the URL of the file, and needs to match what you set the Callback URL to precisely.

$secret needs to be set to the Security Key of the calling App, and it needs an '&' appended to the end.

Now, as far as this:

It appears that apps are using this mechanism to credit users for referrals. They attach a "userid_to_credit" parameter to the end of their install URL. I assume that the "userid_to_credit" is passed to the Install Callback URL.

I've never seen this work. If you have a link to the App that does this, cool, 'cause I'd like to see what they're doing. This sort of functionality has been requested by a fair number of users in the Suggestions forums, and that tells me its not implemented. Maybe the App designers are hoping and planning ahead, 'cause no parameters from the referring Profile URL get passed along to the Callback URL that I've seen.

Jeremy,

As always, your code worked perfectly.

Regarding your question as to apps that appear to use this mechanism to credit users for referrals:

Check out any of the Zynga apps, including Ace Texas Hold'em Poker. When a user refers new members, the user receives additional "points" to play with. This is done via a link to their server which includes a "sid" parameter. That link redirects to the MySpace installation page for their app, WITHOUT the "sid" parameter. So the big question is: How does Zynga know that the new member was referred by a particular user? It would seem they would have to credit the user for a referral, even if the new member does not complete the installation process. What do you think?

I know this thread is a big old...

 But, I had a thought on  your question about how Zynga does it, doesnt Zynga track the friend's ID on the invite, if so why couldnt they just check to see if that user had been referred or not from a variable in the database after they click invite?