Invalid Signature in Auth 1.0a implementing in PHP

Question

public function garminAction(){
    $url  =   'http://connectapitest.garmin.com/oauth-service-1.0/oauth/request_token';
    $oauth_consumer_key =   'XXXXXXXXX';
    $consumerSecret = 'XXXXXXXXX';
    $oauth_signature_method =   'HMAC-SHA1';
    $oauth_timestamp    =   time();
    $oauth_nonce    =   md5(mt_rand());
    $oauth_version  =   "1.0";
    $sig_string = urlencode($consumerSecret) . '&' . urlencode($oauth_consumer_key);
    $base_string1 =
    "POST&" .urlencode($url) . "&" .
    urlencode(
       "oauth_consumer_key=". $oauth_consumer_key
      . "&oauth_nonce=" . $oauth_nonce
      . "&oauth_signature_method=" . $oauth_signature_method
      . "&oauth_timestamp=" .$oauth_timestamp
      . "&oauth_version=" . $oauth_version
            );


    $oauthSig = base64_encode(hash_hmac("sha1", $base_string1, $sig_string, true));
    echo $oauthSig;
    $base_string =

    urlencode(
        "oauth_consumer_key=" . $oauth_consumer_key
        . "&oauth_signature_method=" . $oauth_signature_method
        . "&oauth_signature=" . $oauthSig
        . "&oauth_timestamp=" . $oauth_timestamp
        ."&oauth_version=" . $oauth_version
        . "&oauth_nonce=" . $oauth_nonce

    );

     $auth_header = "OAuth "
    . 'oauth_signature="' . rawurlencode($oauthSig) . '", '
    . 'oauth_version="' . rawurlencode($oauth_version) . '", '
    . 'oauth_nonce="' . rawurlencode($oauth_nonce) . '", '
    . 'oauth_signature_method="' . rawurlencode($oauth_signature_method) . '", '
    . 'oauth_consumer_key="' . rawurlencode($oauth_consumer_key) . '", '
    . 'oauth_timestamp="' . rawurlencode($oauth_timestamp) .'"';
    $ch = curl_init($url);

     curl_setopt($ch, CURLOPT_HTTPHEADER, [
         'Authorization: ' . $auth_header,
         'Content-Type: text/html'
     ]);
    curl_setopt($ch, CURLOPT_URL,$url); 
    curl_setopt($ch, CURLOPT_POSTFIELDS, $base_string);
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    $response = curl_exec($ch);
    echo $error = curl_errno ($ch);
    $error = curl_error($ch);
    echo $response;
    curl_close($ch);
    exit;

}

Its reponse is: HTTP Status 401 - Invalid signature for signature method HMAC-SHA1

Can you please help where the issue is in generating Signatures?

Can you provide a sample if you made it work? – abinop Feb 16 '20 at 10:29 — abinop, Feb 16 '20 at 10:29

score 1 · Accepted Answer · answered Feb 15 '17 at 15:21

1

The parameters in the base signature string must be encoded, too.

See section 3.4.1.3.2. "Parameters Normalization" in the OAuth RFC.

answered Feb 15 '17 at 15:21

cweiske

30,033
14
133
194

score 0 · Answer 2 · answered Feb 18 '20 at 14:31

Here is a sample that works for me (after a lot of trial & error and help from Garmin):

<?php
session_start();

$oauth_consumer_key = "XXXXXXXXX";
$oauth_consumer_secret = "XXXXXXXXX";
$oauth_signature_method = "HMAC-SHA1";
$oauth_token = "XXXXXXXXX"; 
$oauth_token_secret = "XXXXXXXXX";

$oauth_timestamp = time();
$oauth_version = "1.0";
$oauth_nonce = time();
$url = "https://connectapi.garmin.com/oauth-service/oauth/request_token";

$base_string = "POST&" . rawurlencode($url) ."&" .
    rawurlencode("oauth_consumer_key=$oauth_consumer_key"
        . "&oauth_nonce=$oauth_nonce"
        . "&oauth_signature_method=$oauth_signature_method"
        . "&oauth_timestamp=$oauth_timestamp"
        . "&oauth_version=$oauth_version");

$oauth_signature = hash_hmac("SHA1", $base_string, $oauth_consumer_secret . "&", false);
$oauth_signature = rawurlencode(base64_encode(pack('H*', $oauth_signature)));

$authorization_HTTP_header = "$url?oauth_consumer_key=". rawurlencode($oauth_consumer_key).
    "&oauth_signature_method=".$oauth_signature_method.
    "&oauth_timestamp=".$oauth_timestamp.
    "&oauth_nonce=". $oauth_nonce .
    "&oauth_version=1.0".
    "&oauth_signature=" . $oauth_signature;



$curl = curl_init();
curl_setopt_array($curl, array(
  CURLOPT_URL => $authorization_HTTP_header,
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 30,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "POST",

));


$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
}

?>

I have used this `https://github.com/stoufa06/php-garmin-connect-api` php library to authenticate users, But the oauth_token and oauth_verifier is available only at the time of connection.. Is it possible to backfill activities later after connection . I tried a lot but didnt get that. In the above code `oauth_token` and `oauth_token_secret` is not clear for me — Ajith, Mar 11 '21 at 04:42

Invalid Signature in Auth 1.0a implementing in PHP

2 Answers2