0

I am mostly seeking guidance on how to debug a problem.

I've made great progress building out a Ruby client to use the etrade api. All of the GET requests succeed without error.

I have finally gotten to where I'm ready to preview orders. The preview API requires a POST. All attempts fail with a "401 Unauthorized" and the "www-authenticate" header field has this value:

    "www-authenticate"=>
  ["OAuth realm=https://etws.etrade.com/,oauth_problem=signature_invalid"]

I modified the python sample client to submit an order in JSON format and it works just fine. I am attaching the header information here:

 Header: {
'User-Agent': 'python-requests/2.26.0', 
'Accept-Encoding': 'gzip, deflate', 
'Accept': '*/*', 
'Connection': 'keep-alive', 
'content-type': 'application/json', 
'consumerkey': 'redacted', 
'Cookie': 'JSESSIONID=B0991AEDFB40036760E989CD68D67A02.tomcat2', 
'Content-Length': '678', 
'Authorization': 'OAuth realm="",oauth_consumer_key="redacted",oauth_nonce="b1c65498f902f514f3b2beb5c7cabdffd0de869b",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1637599276",oauth_token="at4brpqxlCWCqlB7Ee4L5EQt1MmjNxbejM2buystXYE%3D",oauth_version="1.0",oauth_signature="%2BfWs51yqISrSiSSRICjA0g7th88%3D"'}

Here are the HTTP headers for the failing attempt using my Ruby client:

{
"content-type"=>["application/json"],
"accept-encoding"=>["gzip;q=1.0,deflate;q=0.6,identity;q=0.3"],
 "accept"=>["*/*"],
 "user-agent"=>["OAuth gem v0.5.6"],
 "content-length"=>["666"],
 "authorization"=>
  ["OAuth oauth_body_hash=\"%2BlouJdUEjS15m7dFs2YNSjJQFBA%3D\", oauth_consumer_key=\"redacted\", oauth_nonce=\"Hfy7oEwa7mLRXVBXtzh7Q6pqYOOltCVSWFJbNuiDnwc\", oauth_signature=\"gheE%2BlZV3EXO2LxnQvBJknfw20c%3D\", oauth_signature_method=\"HMAC-SHA1\", oauth_timestamp=\"1637607291\", oauth_token=\"DO%2B92%2Bsz8Hv03lkCYbV1n6XTrH2emCIwcJ%2FHyWS%2BUOw%3D\", oauth_version=\"1.0\""],
 "connection"=>["close"],
 "host"=>["api.etrade.com"]}

I'm using the https://rubygems.org/gems/oauth gem which is the Ruby standard for Oauth 1.0/1.0a. I didn't write any of that code; presumably the get/post/put functions all work correctly since they are used by dozens of other projects.

But clearly something isn't being set or calculated correctly at the oauth level when I do my POST. Googling around indicated that this error is sometimes generated when the 'Content-Type' field isn't set correctly, so I made sure it was set to 'application/json'. No help. BTW, I also tried sending XML (and setting appropriate content-type) and no joy. I essentially copy/pasted the examples from the docs so I know the POST body is correct. I also pasted the same info into the python test client and it worked there just fine. Frustrating!

I didn't post code because there's no way to make a super simple repro. Anyone have guidance on how to debug this thing. Is there an online tool I can use to validate the oauth pieces maybe?

Chuck Remes
  • 98
  • 9
  • Per https://tools.ietf.org/id/draft-eaton-oauth-bodyhash-00.html any non-form rl-encoded body should include the "oauth_body_hash" in the header. The working python version does NOT include that. I'm wondering if this is the issue. That key is required for json or xml content types so removing it by hacking the library seems like a bad idea. I may try it just to check it off the list. – Chuck Remes Nov 22 '21 at 20:59
  • Potential bug in the library. Discussion started here: https://github.com/oauth-xx/oauth-ruby/discussions/230 – Chuck Remes Nov 23 '21 at 00:38

0 Answers0