0

I started to develop a script to get contacts from Yahoo's user. Before to get contacts, I am having problem to get request token, when I perform a request for a link like this:

<a class="yahoo" href="https://api.login.yahoo.com/oaut/v2/get_request_token?oauth_nonce=<?php echo uniqid() ?>&oauth_timestamp=<?php echo time() ?>&oauth_consumer_key=<?php echo $yahoo_consumer_key ?>&oauth_signature_method=plaintext&oauth_signature=<?php echo $yahoo_consumer_secret ?>&oauth_version=1.0&xoauth_lang_pref=en-us&oauth_callback=<?php echo urlencode('http://myfullurl.com') ?>">Get Contacts</a>

I get an HTTP header 401 Forbidden with message: oauth_problem=signature_invalid

I do not know if I am setting the link correctly but It was what I have understand through http://developer.yahoo.com/oauth/guide/oauth-sign-plaintext.html

Reference: http://developer.yahoo.com/oauth/guide/oauth-requesttoken.html

user1519240
  • 2,186
  • 1
  • 22
  • 20

1 Answers1

1

Your call to https://api.login.yahoo.com/oaut/v2/get_request_token has to be a server-side call, not a link the user has to click.

If you don't know how to do that, you should probably use some PHP OAuth library that handles this for you.

Then, as Yahoo is stating in their documentation:

For requests to get_request_token, the Token Secret is absent. Include only the Consumer Secret followed by an "&" character.

your oauth_signature should be:

&oauth_signature=<?php echo $yahoo_consumer_secret . "&" ?>
Jan Gerlinger
  • 7,361
  • 1
  • 44
  • 52
  • Dont need to be a server-side request, read 6.1.1 here http://oauth.net/core/1.0/#auth_step1. Must be a HTTP request with GET or POST, PHP OAuth library just perform a request via cURL that is the same if I perform a request by user clicking on link. I think that "&" at the end of consumer secret is just for separate from other variable in case of GET, but I have tried it too but did not work. – user1519240 Aug 22 '12 at 13:11
  • No, it is not the same. The documentation states: `**The Consumer** obtains an unauthorized Request Token by asking the Service Provider to issue a Token.` *The Consumer* is your web application and **not** the user's browser! The `response token` would also be sent back to the user's browser and not to your web application, where you need it. Then you also certainly don't want the `consumer_secret` to be available to the public in your HTML source code. – Jan Gerlinger Aug 22 '12 at 13:33