Invalid signature for signing requests to the Flickr API (simulation in console)

Question

I'm trying to authenticate to the Flickr API for a demo application I want to make for myself. Then i will extend this app with new features that i'll learn of the Flick API's.

So this is just something i want to play with. But now I have some trouble in getting a request token.

I'm following the Flickr Authentication documentation here: Flickr Authentication
And i also found this Mathlabscript: Flickr API with OAuth-based user authentication

So based on these sources i have now the following console application:

class Program
{
    private static string Secret = "2b2b2b2b2b2b2b2b2b";
    private static string ConsumerKey = "1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a";

    static void Main(string[] args)
    {
        Random rand = new Random();

        string nonce = rand.Next(9999999).ToString();
        string timestamp = ((int)(DateTime.UtcNow - new DateTime(1970, 1, 1)).TotalSeconds).ToString();

        Console.WriteLine("Nonce: " + nonce);
        Console.WriteLine("TimeStamp: " + timestamp);

        Console.WriteLine("ConsumerKey: " + ConsumerKey);
        Console.WriteLine("AppSecret: " + Secret);

        //request url
        StringBuilder b = new StringBuilder();
        b.Append("http://www.flickr.com/services/oauth/request_token");
        b.Append("?");
        b.Append("oauth_nonce=");
        b.Append(nonce);
        b.Append("&oauth_timestamp=");
        b.Append(timestamp);
        b.Append("&oauth_consumer_key=");
        b.Append(ConsumerKey);
        b.Append("&oauth_callback=oob");
        b.Append("&oauth_signature_method=HMAC-SHA1");

        string requesturl = b.ToString();
        Console.WriteLine("RequestUrl: " + requesturl);

        //base url
        string basestring;
        StringBuilder bs = new StringBuilder();

        bs.Append("GET&");
        bs.Append(UrlHelper.Encode("http://www.flickr.com/services/oauth/request_token")+"&");
        basestring = bs.ToString();

        StringBuilder p = new StringBuilder();
        p.Append("oauth_callback=oob");
        p.Append("&oauth_consumer_key=");
        p.Append(ConsumerKey);
        p.Append("oauth_nonce=");
        p.Append(nonce);
        p.Append("&oauth_signature_method=HMAC-SHA1");
        p.Append("&oauth_timestamp=");
        p.Append(timestamp);

        string paramers = UrlHelper.Encode(p.ToString());

        basestring += paramers;
        Console.WriteLine("Basestring: " + basestring);



        System.Text.ASCIIEncoding encoding = new System.Text.ASCIIEncoding();

        string key = Secret + "&";
        Console.WriteLine("Key: " + key);

        byte[] keyByte = encoding.GetBytes(key);

        //--create message to encrypt
        byte[] messageBytes = encoding.GetBytes(basestring);

        //--encrypt message using hmac-sha1 with the provided key
        HMACSHA1 hmacsha1 = new HMACSHA1(keyByte);
        byte[] hashmessage = hmacsha1.ComputeHash(messageBytes);

        //--signature
        string signature = ByteToString(hashmessage);
        Console.WriteLine("Signature: " + signature);

        Console.WriteLine("Final Request: " + requesturl + "&oauth_signature=" + signature);  


        Console.ReadKey(true);



    }
    public static string ByteToString(byte[] buff)
    {
        string sbinary = "";

        for (int i = 0; i < buff.Length; i++)
        {
            sbinary += buff[i].ToString("X2"); // hex format
        }
        return (sbinary);
    }
}

When i browse to the url this applications give me, i get the following response:

oauth_problem=signature_invalid&debug_sbs=GET&http%3A%2F%2Fwww.flickr.com%2Fservices%2Foauth%2Frequest_token&oauth_callback%3Dhttp%253A%252F%252Fwww.google.be%26oauth_consumer_key%3D1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a%26oauth_nonce%3D27504343%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1329469580

It seems that my signature for the request is invalid.

I hope someone can help me get the right signature for these requests.

I know there is a FlickNet Library that already did the hard work for most of the developers but i think it can be useful to get this working too. I looked into the source code of FlickrNet but didn't find the final peace to complete this code.

Let me know if you can help me. It would be so great!

Thanks!

Answer 1

Ok, I finally found the answer myself. Here are a few things you have to keep in mind when signing requests for oauth.

1. signature must be encrypted with HMAC-SHA1 using the basestring(see nr.2) as text to be encrypted and the clientsecret and the token_secret (if you have one) (see nr. 3)
2. basestring = [HttpMethod]&[FlickrAPIEndpoint]&[Parameters]
3. Key for request oauth_token = [ApiSecret]& (or key = [ApiSecret]&[Oauth_token_secret] for request access_token)

IMPORTANT: FlickrAPIEndPoint and Parameters must be UrlEncoded (in two parts!) I have used a separate class for the encoding because the HttpUtility.UrlEncode method uses lowercase encoding while the uppercase encoding should be used.

IMPORTANT: Parameters must be in alphabetical order!

Here's the code for a console application that will create a signed request for a request token and a request token secret.

class Program
{
    private static string Secret = "9dcc18a121e9a02e";
    private static string ConsumerKey = "3aafc63ec6b05f3f9a9ff3a1c35ce541";
    private static string request_token = "";

    static void Main(string[] args)
    {

        string requestString = "http://www.flickr.com/services/oauth/request_token";

        //generate a random nonce and a timestamp
        Random rand = new Random();
        string nonce = rand.Next(999999).ToString();
        string timestamp = GetTimestamp();

        //create the parameter string in alphabetical order
        string parameters = "oauth_callback=" + UrlHelper.Encode("http://www.example.com");
        parameters += "&oauth_consumer_key=" + ConsumerKey;
        parameters += "&oauth_nonce=" + nonce;
        parameters += "&oauth_signature_method=HMAC-SHA1";
        parameters += "&oauth_timestamp=" + timestamp;
        parameters += "&oauth_version=1.0";

        //generate a signature base on the current requeststring and parameters
        string signature = generateSignature("GET", requestString, parameters);

        //add the parameters and signature to the requeststring
        string url = requestString + "?" + parameters + "&oauth_signature=" + signature;

        //test the request
        WebClient web = new WebClient();
        string result = web.DownloadString(url);

        Console.WriteLine("Flickr Response: ");
        Console.WriteLine(result); //contains the oauth_token and the oauth_token_secret
        Console.ReadKey(true);

    }

    private static string generateSignature(string httpMethod, string ApiEndpoint, string parameters)
    {
        //url encode the API endpoint and the parameters 

        //IMPORTANT NOTE:
        //encoded text should contain uppercase characters: '=' => %3D !!! (not %3d )
        //the HtmlUtility.UrlEncode creates lowercase encoded tags!
        //Here I use a urlencode class by Ian Hopkins
        string encodedUrl = UrlHelper.Encode(ApiEndpoint);
        string encodedParameters = UrlHelper.Encode(parameters);

        //generate the basestring
        string basestring = httpMethod + "&" + encodedUrl + "&";
        parameters = UrlHelper.Encode(parameters);
        basestring = basestring + parameters;

        //hmac-sha1 encryption:

        System.Text.ASCIIEncoding encoding = new System.Text.ASCIIEncoding();

        //create key (request_token can be an empty string)
        string key = Secret + "&" + request_token;
        byte[] keyByte = encoding.GetBytes(key);

        //create message to encrypt
        byte[] messageBytes = encoding.GetBytes(basestring);

        //encrypt message using hmac-sha1 with the provided key
        HMACSHA1 hmacsha1 = new HMACSHA1(keyByte);
        byte[] hashmessage = hmacsha1.ComputeHash(messageBytes);

        //signature is the base64 format for the genarated hmac-sha1 hash
        string signature = System.Convert.ToBase64String(hashmessage);

        //encode the signature to make it url safe and return the encoded url
        return UrlHelper.Encode(signature);

    }

    //generator of unix epoch time
    public static String GetTimestamp()
    {
        int epoch = (int)(DateTime.UtcNow - new DateTime(1970, 1, 1)).TotalSeconds;
        return epoch.ToString();
    } 

}

UrlHelper class by Ian Hopkins used for the url encoding

/// <summary> 
    /// URL encoding class.  Note: use at your own risk. 
    /// Written by: Ian Hopkins (http://www.lucidhelix.com) 
    /// Date: 2008-Dec-23 
    /// (Ported to C# by t3rse (http://www.t3rse.com)) 
    /// </summary> 
    public class UrlHelper
    {
        public static string Encode(string str)
        {
            var charClass = String.Format("0-9a-zA-Z{0}", Regex.Escape("-_.!~*'()"));
            return Regex.Replace(str,
                String.Format("[^{0}]", charClass),
                new MatchEvaluator(EncodeEvaluator));
        }
    public static string EncodeEvaluator(Match match)
    {
        return (match.Value == " ") ? "+" : String.Format("%{0:X2}", Convert.ToInt32(match.Value[0]));
    }

    public static string DecodeEvaluator(Match match)
    {
        return Convert.ToChar(int.Parse(match.Value.Substring(1), System.Globalization.NumberStyles.HexNumber)).ToString();
    }

    public static string Decode(string str)
    {
        return Regex.Replace(str.Replace('+', ' '), "%[0-9a-zA-Z][0-9a-zA-Z]", new MatchEvaluator(DecodeEvaluator));
    }
} 

Answer 2

Are you writing this from scratch? If so, you shouldn't. Use http://flickrnet.codeplex.com/ instead. This library has already done the heavy lifting for you.