How to resolve "Invalid signature. Expected signature base string" in OAuth 1.0

Question

I'm attempting to get an access token and secret from a site using OAuth. The exchange of request token and request secret goes fine, but when it comes time to get the access tokens I get the error "Invalid signature. Expected signature base string."

Has anyone seen this error before or know what might be wrong? Here is the data I am getting back (after urldecode-ing it):

Invalid signature. Expected signature base string: POST 
https://www.readability.com/api/rest/v1/oauth/access_token 
oauth_consumer_key=my_consumer_key 
oauth_nonce=d9aff6a0011a633253c5ff9613c6833d79d52cbe 
oauth_signature_method=HMAC-SHA1 
oauth_timestamp=1311186899 
oauth_token=C8GF7D6ytPzQKdZVpy 
oauth_verifier=ncUV4tJSrS 
oauth_version=1.0 
signature=7jUuk6fsEL8XNYxVWcsfGXEreK0%3D 

Answer 1

As @genesis described, it is pretty painful to get the signature key right, but there are documentation for it, which can be seen on this link http://oauth.net/core/1.0/#encoding_parameters.

The rule of thumbs is when you work with HMAC-SHA1,

1. Generate signature base string as "Method(POST/GET/etc)"&"encoded-string-for-your-target"&"encoded-string-of-your-oauth-param(consumer key, nonce, signature method, timestamp, token, and version"
2. The HMAC-SHA1 signature method uses the two secrets client secret and token secret as the HMAC-SHA1 algorithm key. To construct the key, each secret is UTF8-encoded, URL-encoded, and concatenated into a single string using an '&' character as separator even if either secret is empty.
3. With the Signature Base String as the HMAC-SHA1 text and concatenated secrets as key, the client generates the signature. The HMAC-SHA1 algorithm will generate an octet string as the result. The octet string must be base64-encoded with '=' padding
4. The calculated signature is added to the request using the 'oauth_signature' parameter. When the signature is verified by the server, this parameter is not included in the signature workflow as it was not part of the Signature Base String signed by the client. When the signature is included in the HTTP request, it must be properly encoded as required by the method used to transmit the parameters.

Source: http://nouncer.com/oauth/authentication.html

Answer 2

you can take a look here, it was asked about a week ago. Response:

Getting the OAuth signature stuff exactly right is always a huge pain. You should try hard to make sure the base string your library generates is just like the one the server is expecting. Once that's true, the only way you can screw up is to hmac with the wrong key(s).