flickr oauth api returns signature invalid error at random times

Question

I have a web app that authenticates users to their flickr api. It makes use of OAuth 1.0 and authentication works most of the time. But at random times, at completely random times, flickr doesn't recognize my signature. It returns invalid signature error while requesting for a request token. But the same code in the next attempt would bring back request token properly.

I suspect that it has something to do with the way I generate nonce or time stamp. Otherwise it shouldn't work in the successive attempt, right?

This is how I generate nonce and time stamp values:

$nonce   = md5(microtime(true).rand());
$timestamp  = mktime();

Is there any problem in this? Are there any better ways to generate a nonce value? This random failure is very confusing. I can't think of any other reason why I'd get an invalid error, RANDOMLY!

---

Followup

As per Jan Gerlinger's suggestion, I changed mktime() to time(). It surely has reduced the frequency of occurrences. But still it gives invalid signature error at random times, very rarely after changing to time(), I might add.

So, I'm assuming that timestamp(mktime) was one of the issues causing these random errors. But something else is still going wrong there. Maybe in nonce generation?

Answer 1

Depending on your PHP version, you should use time() instead of mktime().

For the nonce, the documentation says:

A nonce is a random string, uniquely generated by the client to allow the server to verify that a request has never been made before and helps prevent replay attacks when requests are made over a non-secure channel. The nonce value MUST be unique across all requests with the same timestamp, client credentials, and token combinations.

If rand() would return you the same value twice in a microsecond, you would get the same nonce twice. Also generating an MD5 hash does not guarantee you to get uniqe values because of MD5 collisions. The better method here would be to have a global counter for the nonce.

If you get this error quite often however, the nonce is probably not your problem, as these collisions should not happen very often.

Sometimes the problem with invalid signature errors is that the client's server time differs from the provider's server time, so you could check if there's something weird happening on your server with time synchronization.