I have noticed situations in which MySpace's URL encoding produces different results from PHP's urlencode function. For example: the ~ is not consistently encoded between the two -- effectively making my code useless for people trying to use /~userdir directories.

There are probably other differences that are causing problems for some, sadly I don't have time to help anyone individually.

I am getting very inconsistent results with the authentication.

It works 'sometimes' from IE and never from Firefox (well not yet it is random).  I am using the modified code below.  I am always hitting the same page from an external iFrame.  I am dumping all the variables and cannot understand why the signatures matche sometimes and not others.   The only changes in the $base_string seem to be the expected changes in oauth_nonce, oauth_timestamp, and opensocial_token.

Any ideas as to what stupid thing I am missing here?

Thanks in advance,

Clint

        $remote_signature = $_GET['oauth_signature'];
        $url = strtolower( $_SERVER['SCRIPT_URI'] ); //for debugging.  I have tried hard coded page value also
        unset( $_GET['oauth_signature'] );
        ksort( $_GET );
        $param_string = '';
        $first = 0;
        foreach ($_GET as $key => $value) {
            if ($first == 1) {
                $param_string .= '&'.$key.'='.urlencode($value);
            }
            else {
                $param_string .= $key.'='.urlencode($value);
            }
            $first = 1;
        }

        $base_string = 'GET&'.
                       urlencode( $url ) . '&'.
                       //urlencode( http_build_query( $_GET ) );
                       urlencode( $param_string );
        $secret = $app->getSecret() . '&';

        $local_signature = base64_encode( hash_hmac( "sha1", $base_string, $secret, TRUE ) );

        if ( $remote_signature == $local_signature) {
            echo 'success ';
            print "url = $url secret = $secret remote = $remote_signature  local = $local_signature base_string = $base_string\n";
        }
        else {
            echo 'not validated! ';
            print "url = $url secret = $secret remote = $remote_signature  local = $local_signature base_string = $base_string\n";
        }

I figured out what my problem was.  If you use the external iFrame instead of the canvas with the makeRequest you get some additional parameters in the initial request.  The problem is that the opensocial_token MAY contain spaces.  After all of the processing mySpace is encoding these spaces as %2520 (ascii for space %20 encoded again).  However in the above code the space is getting encoded as %2B (turned into a + then encoded).

 Replace the %2B with %2520 and you are golden.  phew.

 Here is my final code.

Good luck!

Clint

            $remote_signature = $_GET['oauth_signature'];
            //$url = strtolower( 'http://clintokontendeuroswe.myspace.clinto.robinsonsplace.com/' );
            $url = strtolower( $_SERVER['SCRIPT_URI'] );
            unset( $_GET['oauth_signature'] );
            ksort( $_GET );
            $getString = urlencode( http_build_query( $_GET ) );
            $getString = str_replace( '%2B', '%2520', $getString );
            $base_string = 'GET&'.
                       urlencode( $url ) . '&'.
                       //urlencode( http_build_query( $_GET ) );
                       $getString;

            $secret = '5f1ce2b5c4464bec9afe8e6c4de08c2d' . '&';

            $local_signature = base64_encode( hash_hmac( "sha1", $base_string, $secret, TRUE ) );

            if ( $remote_signature == $local_signature ) {

Im trying to reproduce the invite app found here (http://profile.myspace.com/Modules/Applications/Pages/Canvas.aspx?appId=112908) within this iframe, but am getting some errors.  Have you guys successfully been able to use opensocial within your frames?  From what I understand there are 2 nested frames here.  One default provided by MySpace, and the other one specifically inserted in the following code added to the top of the canvas surface:

<iframe id="msiframe" name="msiframe" src="" height="1000" width="790" frameborder="0"></iframe>

 The inner frame doesn't have the required opensocial js libraries included. When I try to manaully include them I get a lot of errors...

Just wanted to give whoevers still reading this thread an update on my experiences.  I got the auth working with php.  I followed all the suggested posts in this thread, but I noticed one thing that was off.  The call to http_build_query would return a query string that used &amp; as the arg seperator instead of & by default.  In short, it was url encoding the seperators in addition to the params.  You can call http_build_query with $arg_separator (the 3rd arg) to explicitly tell it to use &, and that worked for me!  The signatures now match.  Heres my complete code along with some helpful urls for me:

$this_url = strtolower('http://xxx/phpauth.php');

$myspace_secret="xxx"; //your myspace secret key

$opensocial_viewer_id=$_GET[opensocial_viewer_id];
$oauth_signature=$_GET[oauth_signature];

// check the sigs and make sure its  the real deal
$remote_signature = $_GET['oauth_signature'];
unset($_GET['oauth_signature']);
ksort($_GET);
$url_me=urlencode($this_url);
$g_me = urlencode(http_build_query($_GET, null, '&'));
$base_string = "GET&$url_me&$g_me";
$secret = "$myspace_secret&";
$local_signature = base64_encode(hash_hmac("sha1", $base_string, $secret, TRUE));

http://meyerweb.com/eric/tools/dencoder/

http://us2.php.net/http_build_query

Hope that helps someone out there.  Now alls left to do is to get this thing working in ruby...

$this_url = strtolower('http://xxx/phpauth.php');

$myspace_secret="xxx"; //your myspace secret key

$opensocial_viewer_id=$_GET[opensocial_viewer_id];
$oauth_signature=$_GET[oauth_signature];

// check the sigs and make sure its  the real deal
$remote_signature = $_GET['oauth_signature'];
unset($_GET['oauth_signature']);
ksort($_GET);
$url_me=urlencode($this_url);
$g_me=urlencode(http_build_query($_GET, null, '&'));
$g_me=str_replace( '%2B', '%2520', $g_me );
$base_string = "GET&$url_me&$g_me";
$secret = "$myspace_secret&";
$local_signature = base64_encode(hash_hmac("sha1", $base_string, $secret, TRUE));