获取请求 token 时的 Android Flickr Oauth invalid_signature

Question

我正在尝试在 android 上创建一个 flickr 应用程序，但在请求 token 的身份验证时卡住了。

生成签名

API key :-496a8ac6ca46325e6cef******

API secret :-685682a92***

基础字符串:- GET&http%3A%2F%2Fwww.flickr.com%2Fservices%2Foauth%2Frequest_token&oauth_callback%3Dsoft%253A%252F%252Fcom.alice.testflickr%26oauth_consumer_key%3D496a8ac6ca46325e6cef%26oauth_nonce%3D39 4e61453f7b82cd633d229ac9b6454b%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1339654651 %26oauth_version%3D1.0

生成签名的方法:-

     public String computeSignature(String baseString,String key)throws IllegalStateException, UnsupportedEncodingException, NoSuchAlgorithmException, InvalidKeyException{
            //here key is the appsecret+"&"
            byte[] byteHMAC = null;
     Mac mac = Mac.getInstance("HmacSHA1");
     SecretKeySpec spec = new SecretKeySpec(key.getBytes(),"HmacSHA1");
     mac.init(spec);
     byteHMAC = mac.doFinal(baseString.getBytes("UTF-8"));

     return new String(Base64.encode(byteHMAC,Base64.NO_WRAP));
}

时间戳是 (System.currentTimeMillis)/1000

Nonce 是 Long.toString(System.nanoTime());

我请求这样的请求 token :-

http://www.flickr.com/services/oauth/request_token?oauth_nonce=12190496931948&oauth_timestamp=1339664498&oauth_consumer_key=496a8ac6ca46325e6cef&oauth_signature_method=HMAC-SHA1&oauth_version=1.0&oauth_signature=jg8CCdKb8gw%2BMJK0aJ6Brpba0G0%3D&oauth_callback=soft%3A%2F%2Fcom.alice.testflickr

但我总是得到

oauth_problem=signature_invalid&debug_sbs=GET&http%3A%2F%2Fwww.flickr.com%2Fservices%2Foauth%2Frequest_token&oauth_callback%3Dsoft%253A%252F%252Fcom.alice.testflickr%26oauth_consumer_key%3D496a8ac6ca46325e6cef%26oauth_nonce%3D12190496931948%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1339664498%26oauth_version%3D1.0

我生成签名的方式有问题还是这里有任何其他问题。 编辑:basestring 中timestamp 的值与请求相同

Answer 1

Flickr 文档说签名过程应该是这样的:

All API calls using an authentication token must be signed. In
addition, calls to the flickr.auth.* methods and redirections to the
auth page on flickr must also be signed.

The process of signing is as follows.

• Sort your argument list into alphabetical order based on the parameter name.
  e.g.
  foo=1, bar=2, baz=3 sorts to bar=2, baz=3, foo=1

• concatenate the shared secret and argument name-value pairs
  e.g.
  SECRETbar2baz3foo1

• calculate the md5() hash of this string

• append this value to the argument list with the name api_sig, in hexidecimal string form
  e.g.
  api_sig=1f3870be274f6c49b3e31a0c6728957f