0

I am trying to get access to my Withings/Nokia scales data via oauth (.net core C#).

Instructions can be found at: https://oauth.withings.com/en/api/oauthguide

And API guide here: https://developer.health.nokia.com/api#step1

I have achieved Part 1 - I get an auth token and secret.

Part 2 - manually I have retrieved a code authorizing my app's usage of my withings scales data - i.e. auth code as a result of the call back (via the API developers page). I am presuming this only needs to be done once to authorize my app's access permanently. I have hardcoded this value into my code and update it if I re-authorize the app.

Now I am stuck on Part 3 - getting the access token/secret. ERROR = Invalid signature

(using the above page I have been able to retrieve my 4 years worth of scales data so I know it should work).

My base signature is identical to the above API test page (apart from the nonce, signature and timestamp).

My url is identical to to the above API test page (apart from the nonce and timestamp).

The mystery for me is why this works for Part 1 and not Part 3. Is it the code that is bad or simply that the request token must be authorized against the application/users data before a request can be made? But surely I don't have to re-authorize with the user every time??

I originally messed up the Part 1 and gave an invalid signature error - this was clearly an issue with the signature - but I have re-checked the signature in Part 3 and it is good.

private const string AUTH_VERSION = "1.0";
private const string SIGNATURE_METHOD = "HMAC-SHA1";

private const string BASE_URL_REQUEST_AUTH_TOKEN = "https://developer.health.nokia.com/account/request_token";
private const string BASE_URL_REQUEST_ACCESS_TOKEN = "https://developer.health.nokia.com/account/access_token";

...

Withings w = new Withings();
OAuthToken t = await w.GetOAuthToken();
string token = t.OAuth_Token;
string secret = t.OAuth_Token_Secret;
OAuthAccessToken at = await w.GetOAuthAccess(t);
string aToken = at.OAuth_Token;
string aTokenSecret = at.OAuth_Token_Secret;

...

public async Task<OAuthAccessToken> GetOAuthAccess(OAuthToken authToken)
        {
            OAuthAccessToken token = new OAuthAccessToken();

            try
            {
                string random = GetRandomString();
                string timestamp = GetTimestamp();

                string baseSignature = GetOAuthAccessSignature(authToken, random, timestamp);
                string hashSignature = ComputeHash(baseSignature, CONSUMER_SECRET, authToken.OAuth_Token_Secret);
                string codeSignature = UrlEncode(hashSignature);

                string requestUrl = GetOAuthAccessUrl(authToken, codeSignature, random, timestamp);

                HttpResponseMessage response = await client.GetAsync(requestUrl);
                string responseBodyAsText = await response.Content.ReadAsStringAsync();

                string[] parameters = responseBodyAsText.Split('&');
                token.OAuth_Token = parameters[0].Split('=')[1].ToString();
                token.OAuth_Token_Secret = parameters[1].Split('=')[1].ToString();

            }
            catch (Exception ex)
            {

            }
            return token;
        }

private string GetOAuthAccessSignature(OAuthToken authToken, string random, string timestamp)
        {
            var urlDict = new SortedDictionary<string, string>
            {
                //{ "oauth_consumer_key", CONSUMER_KEY},
                { "oauth_nonce", random},
                { "oauth_signature_method", UrlEncode(SIGNATURE_METHOD)},
                { "oauth_timestamp", timestamp},
                { "oauth_token", END_USER_AUTHORISATION_REQUEST_TOKEN },
                { "oauth_version", AUTH_VERSION}
            };

            StringBuilder sb = new StringBuilder();
            sb.Append("GET&" + UrlEncode(BASE_URL_REQUEST_ACCESS_TOKEN) + "&oauth_consumer_key%3D" + CONSUMER_KEY);

            int count = 0;
            foreach (var urlItem in urlDict)
            {
                count++;
                if (count >= 1) sb.Append(UrlEncode("&"));
                sb.Append(UrlEncode(urlItem.Key + "=" + urlItem.Value));
            }

            return sb.ToString();
        }

        private string GetOAuthAccessUrl(OAuthToken authToken, string signature, string random, string timestamp)
        {
            var urlDict = new SortedDictionary<string, string>
            {
                { "oauth_consumer_key", CONSUMER_KEY},
                { "oauth_nonce", random},
                { "oauth_signature", signature },
                { "oauth_signature_method", UrlEncode(SIGNATURE_METHOD)},
                { "oauth_timestamp", timestamp},
                { "oauth_token", END_USER_AUTHORISATION_REQUEST_TOKEN },
                { "oauth_version", AUTH_VERSION}
            };

            StringBuilder sb = new StringBuilder();
            sb.Append(BASE_URL_REQUEST_ACCESS_TOKEN + "?");

            int count = 0;
            foreach (var urlItem in urlDict)
            {
                count++;
                if (count > 1) sb.Append("&");
                sb.Append(urlItem.Key + "=" + urlItem.Value);
            }

            return sb.ToString();
        }

Notes:

  • I have ordered my parameters
  • I have a decent urlencode (correct me wrong)
  • I have a hmac-sha1 hashing (correct me wrong)
  • Not interested in using open libraries - I want to fix this code without third party tools

Below is the helper methods I am using:

private string ComputeHash(string data, string consumerSecret, string tokenSecret = null)
        {
            // Construct secret key based on consumer key (and optionally include token secret)
            string secretKey = consumerSecret + "&";
            if (tokenSecret != null) secretKey += tokenSecret;

            // Initialise with secret key
            System.Security.Cryptography.HMACSHA1 hmacsha = new System.Security.Cryptography.HMACSHA1(Encoding.ASCII.GetBytes(secretKey));
            hmacsha.Initialize();

            // Convert data into byte array
            byte[] dataBuffer = Encoding.ASCII.GetBytes(data);

            // Computer hash of data byte array
            byte[] hashBytes = hmacsha.ComputeHash(dataBuffer);

            // Return the base 64 of the result
            return Convert.ToBase64String(hashBytes);
        }

        // Get random string
        private string GetRandomString()
        {
            return Guid.NewGuid().ToString().Replace("-", "");
        }

        // Get timestamp
        private string GetTimestamp()
        {
            var ts = DateTime.UtcNow - new DateTime(1970, 1, 1, 0, 0, 0, 0);
            return Convert.ToInt64(ts.TotalSeconds).ToString();
        }

        // Url Encode (as Uri.Escape is reported to be not appropriate for this purpose)
        protected string UnreservedChars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.~";
        protected string UrlEncode(string value)
        {
            var result = new StringBuilder();
            foreach (var symbol in value)
            {
                if (UnreservedChars.IndexOf(symbol) != -1)
                    result.Append(symbol);
                else
                    result.Append('%' + $"{(int)symbol:X2}");
            }
            return result.ToString();
        }

Thanks,Dan.

DanAbdn
  • 7,151
  • 7
  • 27
  • 38

1 Answers1

2

Solved - this was a problem with my understanding of how oauth works.

Step 1 - Get a token (this allows you to make requests based on your api account application)

Step 2 - Create a URL (using the 2 minute token above) that redirects the user to authorize your Withings api applications to use a specific user's account. The same token is returned as you passed it - but now it will be allowed to make the request in step 3.

Step 3 - Requests an access token - this will give you an token and secret string that permits your continued access to this user's account (for your api account application).

Step 4 - Requesting data - similar in method to all previous steps - quite easy. Returns a big long string of data. Read the API documents as you can filter - which is what I will be doing as I have about 4/5 years worth of 'interesting' weight data.

I was doing step 1 and then doing step 3 thinking that the code returned from step 2 (not having noticed it was the same as the one put in) could be stored and used for step 3 without having to re-authorize.

You can actually (and what I have done) is follow the API demo interface to generate the auth token and secret in step 3 and that's all you need to continue to request data. You only need user authorization once and store step 3 auth token/secret against a user account / a store of some sort.

Also note that you can invoke notifications - new weight triggers your website to automatically refresh the data. Great if you just want to login and see the latest data without having the manually trigger a refresh of the data / cause a further delay.

Be aware that the API has filtering options - so make sure you read up on those.

Here's some (basic) code which may be of some use:

        public async Task<string> GetData_BodyMeasures()
    {
        string rawdata = "";

        try
        {
            string random = GetRandomString();
            string timestamp = GetTimestamp();

            string baseSignature = GetDataSignature_BodyMeasure(random, timestamp);
            string hashSignature = ComputeHash(baseSignature, CONSUMER_SECRET, ACCESS_OAUTH_TOKEN_SECRET);
            string codeSignature = UrlEncode(hashSignature);

            string requestUrl = GetData_BodyMeasure_Url(codeSignature, random, timestamp);

            HttpResponseMessage response = await client.GetAsync(requestUrl);
            string responseBodyAsText = await response.Content.ReadAsStringAsync();

            rawdata = responseBodyAsText;

        }
        catch (Exception ex)
        {

        }
        return rawdata;
    }




    private string GetDataSignature_BodyMeasure(string random, string timestamp)
    {
        var urlDict = new SortedDictionary<string, string>
        {
            { "oauth_consumer_key", CONSUMER_KEY},
            { "oauth_nonce", random},
            { "oauth_signature_method", SIGNATURE_METHOD},
            { "oauth_timestamp", timestamp},
            { "oauth_token", ACCESS_OAUTH_TOKEN },
            { "oauth_version", AUTH_VERSION},
            { "userid", USER_ID }
        };

        StringBuilder sb = new StringBuilder();
        sb.Append("GET&" + UrlEncode(BASE_URL_REQUEST_BODY_MEASURE) + "&action%3Dgetmeas");

        int count = 0;
        foreach (var urlItem in urlDict)
        {
            count++;
            if (count >= 1) sb.Append(UrlEncode("&"));
            sb.Append(UrlEncode(urlItem.Key + "=" + urlItem.Value));
        }

        return sb.ToString();
    }


    private string GetData_BodyMeasure_Url(string signature, string random, string timestamp)
    {
        var urlDict = new SortedDictionary<string, string>
        {
            { "action", "getmeas"},
            { "oauth_consumer_key", CONSUMER_KEY},
            { "oauth_nonce", random},
            { "oauth_signature", signature },
            { "oauth_signature_method", UrlEncode(SIGNATURE_METHOD)},
            { "oauth_timestamp", timestamp},
            { "oauth_token", ACCESS_OAUTH_TOKEN },
            { "oauth_version", AUTH_VERSION},
            { "userid", USER_ID }
        };

        StringBuilder sb = new StringBuilder();
        sb.Append(BASE_URL_REQUEST_BODY_MEASURE + "?");

        int count = 0;
        foreach (var urlItem in urlDict)
        {
            count++;
            if (count >= 1) sb.Append("&");
            sb.Append(urlItem.Key + "=" + urlItem.Value);
        }

        return sb.ToString();
    }
DanAbdn
  • 7,151
  • 7
  • 27
  • 38