PL/SQL OpenID+OAuth Implementation - 400 - Bad Request

Question

I am trying to implement (OpenId+OAuth) hybrid protocol using PL/SQL. I have setup OpenID Authentication successfully with google for my site http://example.com where the user is directed to google accounts for authentication. After successful authentication, the user is redirected back to example.com with OAuthRequestToken attached. I am then trying to exchange this token with OAuthAccessToken to access various google sevices. The OAutheRequestToken that I get after hybrid(OpenID+OAuth) authentication is as follows:

oauth_token = 4/AR17dDMb4xHG3L4WFYLIzkhCj0c7

The oauth_base_string I get is as follows:

oauth_base_string = GET&https%3A%2F%2Fwww.google.com%2Faccounts%2FOAuthGetAccessToken&oauth_consumer_key%3Dexample.com%26oauth_nonce%3D56575A5754587057576E6C77576B78695757354F%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1308046070%26oauth_version%3D1.0%26oauth_token%3D4%2FAR17dDMb4xHG3L4WFYLIzkhCj0c7

I then place a request to exchange this oauth_token(OAuthRequestToken) with OAuthAccessToken in the query string itself as :

https://www.google.com/accounts/OAuthGetAccessToken?oauth_consumer_key=example.com&oauth_token=4/AR17dDMb4xHG3L4WFYLIzkhCj0c7&oauth_signature_method=HMAC-SHA1&oauth_signature=RpqSLGp5nIGvL8W4vmC8inUfBFQ%3D&oauth_timestamp=1308046070&oauth_nonce=56575A5754587057576E6C77576B78695757354F&oauth_version=1.0

This results in 400 - Bad Request.

I have tried searching for something similar but still no luck. This Post from Stack Overflow deals with a similar issue. It says

...% escaping can be an issue

which is a bit confusing.

Do we have to urlencode oauth_signature param twice in the request?

I am using the following code to generate oauth_signature:

oauth_sig_mac := DBMS_CRYPTO.mac (UTL_I18N.string_to_raw
 (oauth_base_string,
 'AL32UTF8'),DBMS_CRYPTO.hmac_sh1,
 UTL_I18N.string_to_raw (oauth_key,
 'AL32UTF8'));

 oauth_signature := UTL_RAW.cast_to_varchar2(UTL_ENCODE.base64_encode
 (oauth_sig_mac));

Here:

oauth_key := urlencode('oauth-consumer-secret-key') || '&';

Any help is greatly appreciated.

Answer 1

I recommend using https://runscope.com to test your api. Its great.

I make my calls to the Zero api using oauth 1.0, so I'm not sure if its just the endpoint that's different but a couple things you could check are:

Encoding the oauth token you recieve from the previous request so that, that '/' is ASCII encoded.

And, test your api through runscope to check your timestamp if its to old or to new this will throw a bad request.

P.s a bad request is a better error than the 401 anauthorised so your almost there