[GH-ISSUE #332] Receiving a 401 invalid_signature with each request #207

New issue

Closed

opened 2026-03-03 16:46:40 +03:00 by kerem · 6 comments

kerem commented 2026-03-03 16:46:40 +03:00

Owner

Copy link

Originally created by @bennokress on GitHub (Jan 17, 2017).
Original GitHub issue: https://github.com/OAuthSwift/OAuthSwift/issues/332

Description

I'm trying to make API Calls protected with OAuth 1.0. The authorization with OAuthSwift is already working and giving me a token and a token secret. Sadly I get a 401 invalid_signature back when making calls afterwards. Looking at the requests and checking an online signature generator I see that the generated signatures indeed differ. I just don't know why, because I have no experience with the matter so far. What do you need from me to help me out?

OAuth Provider

• Custom: Car2Go https://github.com/car2go/openAPI/wiki/Access-protected-Functions-via-OAuth-1.0

OAuth Version:

• Version 1
• Version 2

OS (Please fill the version) :

• iOS :
• OSX :
• TVOS :
• WatchOS :

Installation method:

• Carthage
• CocoaPods
• Manually

Library version:

• head
• v1.0.0
• v0.6
• other: (Please fill in the version you are using.)

Xcode version:

• 8.0 (Swift 3.0)

• 8.0 (Swift 2.3)

• 7.3.1

• other: (Please fill in the version you are using.)

• objective c

Originally created by @bennokress on GitHub (Jan 17, 2017). Original GitHub issue: https://github.com/OAuthSwift/OAuthSwift/issues/332 ### Description I'm trying to make API Calls protected with OAuth 1.0. The authorization with OAuthSwift is already working and giving me a token and a token secret. Sadly I get a 401 invalid_signature back when making calls afterwards. Looking at the requests and checking [an online signature generator](https://www.oauth-signatur.de/en) I see that the generated signatures indeed differ. I just don't know why, because I have no experience with the matter so far. What do you need from me to help me out? ### OAuth Provider - Custom: Car2Go https://github.com/car2go/openAPI/wiki/Access-protected-Functions-via-OAuth-1.0 ### OAuth Version: - [x] Version 1 - [ ] Version 2 ### OS (Please fill the version) : - [x] iOS : - [ ] OSX : - [ ] TVOS : - [ ] WatchOS : ### Installation method: - [x] Carthage - [ ] CocoaPods - [ ] Manually ### Library version: - [x] head - [ ] v1.0.0 - [ ] v0.6 - [ ] other: (Please fill in the version you are using.) ### Xcode version: - [x] 8.0 (Swift 3.0) - [ ] 8.0 (Swift 2.3) - [ ] 7.3.1 - [ ] other: (Please fill in the version you are using.) - [ ] objective c

kerem 2026-03-03 16:46:40 +03:00

• closed this issue
• added the
  help wanted
  label

kerem commented 2026-03-03 16:46:41 +03:00

Author

Owner

Copy link

@phimage commented on GitHub (Jan 17, 2017):

Could you provide a failed request sample

<!-- gh-comment-id:273328895 --> @phimage commented on GitHub (Jan 17, 2017): Could you provide a failed request sample

kerem commented 2026-03-03 16:46:41 +03:00

Author

Owner

Copy link

@bennokress commented on GitHub (Jan 18, 2017):

Of course :) I'm using OAuthSwiftAlamofire for the request, but I tested it with the standard oauth.client.get and have the same result ...

This is where I make the request:

func getUserData(completion: @escaping Callback) {

    let url = "https://www.car2go.com/api/v2.1/accounts?oauth_consumer_key=\(consumerKey)&format=\(format)"

    getOAuthSessionManager() { sessionManager in
        
        guard let AlamofireWithOAuth = sessionManager else {
            let error = APICallResult.error(code: 0, codeDetail: "not_logged_in", message: "No user credentials stored for Car2Go!", parentFunction: #function)
            completion(error)
            return
        }
        
        let request = AlamofireWithOAuth.request(url, method: .get, encoding: URLEncoding.default).response { callback in
            
            print(callback.response ?? "No response")

        }
        
        debugPrint(request)

    }

}

And this is the getOAuthSessionManager() where I get the stored Token and Token Secret from Keychain or generate a new one:

fileprivate func getOAuthSessionManager(completion: @escaping (SessionManager?) -> Void) {
    let oauthSessionManager = SessionManager.default
    if let savedCredential = credential {
        oauthswift.client.credential.oauthToken = savedCredential.oauthToken
        oauthswift.client.credential.oauthTokenSecret = savedCredential.oauthTokenSecret
        oauthSessionManager.adapter = OAuthSwiftRequestAdapter(oauthswift)
        completion(oauthSessionManager)
    } else {
        authorizeHerbieNowForCar2Go() { response in
            guard let newCredential: OAuthSwiftCredential = response.getDetails() else {
                completion(nil)
                return
            }
            self.oauthswift.client.credential.oauthToken = newCredential.oauthToken
            self.oauthswift.client.credential.oauthTokenSecret = newCredential.oauthTokenSecret
            oauthSessionManager.adapter = self.oauthswift.requestAdapter
            completion(oauthSessionManager)
        }
    }
}

Additionally oauthswift is defined like this (with consumerKey and consumerSecret set, of course):

oauthswift = OAuth1Swift(
    consumerKey: consumerKey,
    consumerSecret: consumerSecret,
    requestTokenUrl: "https://www.car2go.com/api/reqtoken",
    authorizeUrl:    "https://www.car2go.com/api/authorize",
    accessTokenUrl:  "https://www.car2go.com/api/accesstoken"
)

The console shows the following output:

$ curl -i \
	-H "Accept-Language: de-DE;q=1.0, en-US;q=0.9" \
	-H "Authorization: OAuth oauth_consumer_key="HerbyNow", oauth_nonce="F847B367", oauth_signature="qyPSyjttpRhfA1gOQ30z8WebFNo%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1484728545", oauth_token="tXPsbgaPC47rYWdfEtuLYg8C", oauth_version="1.0"" \
	-H "User-Agent: HerbieNow/1.0 (de.lmu.HerbieNow; build:1; iOS 10.2.0) Alamofire/4.3.0" \
	-H "Accept-Encoding: gzip;q=1.0, compress;q=0.5" \
	"https://www.car2go.com/api/v2.1/accounts?oauth_consumer_key=HerbyNow&format=json"
----------------------------------------------------------------------------------------------------
<NSHTTPURLResponse: 0x17402eaa0> { URL: https://www.car2go.com/api/v2.1/accounts?oauth_consumer_key=HerbyNow&format=json } { status code: 401, headers {
    "Content-Language" = "en-US";
    "Content-Length" = 0;
    Date = "Wed, 18 Jan 2017 08:35:45 GMT";
    "Www-Authenticate" = "OAuth realm=\"car2go_api\", oauth_problem=\"signature_invalid\"";
} }

<!-- gh-comment-id:273415338 --> @bennokress commented on GitHub (Jan 18, 2017): Of course :) I'm using OAuthSwiftAlamofire for the request, but I tested it with the standard `oauth.client.get` and have the same result ... This is where I make the request: func getUserData(completion: @escaping Callback) { let url = "https://www.car2go.com/api/v2.1/accounts?oauth_consumer_key=\(consumerKey)&format=\(format)" getOAuthSessionManager() { sessionManager in guard let AlamofireWithOAuth = sessionManager else { let error = APICallResult.error(code: 0, codeDetail: "not_logged_in", message: "No user credentials stored for Car2Go!", parentFunction: #function) completion(error) return } let request = AlamofireWithOAuth.request(url, method: .get, encoding: URLEncoding.default).response { callback in print(callback.response ?? "No response") } debugPrint(request) } } And this is the `getOAuthSessionManager()` where I get the stored Token and Token Secret from Keychain or generate a new one: fileprivate func getOAuthSessionManager(completion: @escaping (SessionManager?) -> Void) { let oauthSessionManager = SessionManager.default if let savedCredential = credential { oauthswift.client.credential.oauthToken = savedCredential.oauthToken oauthswift.client.credential.oauthTokenSecret = savedCredential.oauthTokenSecret oauthSessionManager.adapter = OAuthSwiftRequestAdapter(oauthswift) completion(oauthSessionManager) } else { authorizeHerbieNowForCar2Go() { response in guard let newCredential: OAuthSwiftCredential = response.getDetails() else { completion(nil) return } self.oauthswift.client.credential.oauthToken = newCredential.oauthToken self.oauthswift.client.credential.oauthTokenSecret = newCredential.oauthTokenSecret oauthSessionManager.adapter = self.oauthswift.requestAdapter completion(oauthSessionManager) } } } Additionally `oauthswift` is defined like this (with `consumerKey` and `consumerSecret` set, of course): oauthswift = OAuth1Swift( consumerKey: consumerKey, consumerSecret: consumerSecret, requestTokenUrl: "https://www.car2go.com/api/reqtoken", authorizeUrl: "https://www.car2go.com/api/authorize", accessTokenUrl: "https://www.car2go.com/api/accesstoken" ) The console shows the following output: ``` $ curl -i \ -H "Accept-Language: de-DE;q=1.0, en-US;q=0.9" \ -H "Authorization: OAuth oauth_consumer_key="HerbyNow", oauth_nonce="F847B367", oauth_signature="qyPSyjttpRhfA1gOQ30z8WebFNo%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1484728545", oauth_token="tXPsbgaPC47rYWdfEtuLYg8C", oauth_version="1.0"" \ -H "User-Agent: HerbieNow/1.0 (de.lmu.HerbieNow; build:1; iOS 10.2.0) Alamofire/4.3.0" \ -H "Accept-Encoding: gzip;q=1.0, compress;q=0.5" \ "https://www.car2go.com/api/v2.1/accounts?oauth_consumer_key=HerbyNow&format=json" ---------------------------------------------------------------------------------------------------- <NSHTTPURLResponse: 0x17402eaa0> { URL: https://www.car2go.com/api/v2.1/accounts?oauth_consumer_key=HerbyNow&format=json } { status code: 401, headers { "Content-Language" = "en-US"; "Content-Length" = 0; Date = "Wed, 18 Jan 2017 08:35:45 GMT"; "Www-Authenticate" = "OAuth realm=\"car2go_api\", oauth_problem=\"signature_invalid\""; } } ```

kerem commented 2026-03-03 16:46:41 +03:00

Author

Owner

Copy link

@phimage commented on GitHub (Jan 18, 2017):

try to not add oauth_consumer_key=xxx in your request
maybe your provider need it, but that's not standard

OAuthSwift manage all oauth* parameters, and maybe oauth_consumer_key is excluded from signature

<!-- gh-comment-id:273539370 --> @phimage commented on GitHub (Jan 18, 2017): try to not add oauth_consumer_key=xxx in your request maybe your provider need it, but that's not standard OAuthSwift manage all oauth* parameters, and maybe oauth_consumer_key is excluded from signature

kerem commented 2026-03-03 16:46:42 +03:00

Author

Owner

Copy link

@bennokress commented on GitHub (Jan 18, 2017):

Indeed, this fixed the problem. Thanks for taking the time to help me!

<!-- gh-comment-id:273607142 --> @bennokress commented on GitHub (Jan 18, 2017): Indeed, this fixed the problem. Thanks for taking the time to help me!

kerem commented 2026-03-03 16:46:42 +03:00

Author

Owner

Copy link

@J-Arji commented on GitHub (Aug 20, 2017):

con you help me for recive json from magento ?

<!-- gh-comment-id:323569459 --> @J-Arji commented on GitHub (Aug 20, 2017): con you help me for recive json from magento ?

kerem commented 2026-03-03 16:46:42 +03:00

Author

Owner

Copy link

@phimage commented on GitHub (Aug 20, 2017):

@J-Arji no

<!-- gh-comment-id:323571000 --> @phimage commented on GitHub (Aug 20, 2017): @J-Arji no

kerem referenced this issue 2026-03-03 16:49:29 +03:00

[PR #207] [MERGED] Add refresh_token to credentials #569

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

ci/action/danger

ci/action/release-drafter

pkce

ci/action/tvos

ci/travis

2.1.0

2.0.0

fix/fitbiterror

swift3

digu-demo

swift3.0objc

swift2.2

swift2.3

swift2.0

2.2.0

2.1.2

2.1.1

2.1.0

2.0.1

2.0.0

1.4.1

1.4.0

1.3.0

1.2.2

1.2.1

1.2.0

1.1.2

1.1.1

1.1.0

1.0.0

0.6.0

0.5.2

v0.5.2

0.5.1

0.5.0

0.4.8

0.4.6

v0.4.6

0.4.5

v0.4.5

0.4.4

v0.4.4

0.4.3

0.4.2

0.4.1

v0.4.1

0.4.0

v0.4.0

Swift1.x

0.3.7

v0.3.7

0.3.6

v0.3.6

0.3.5

v0.3.5

0.3.4

v0.3.4

0.3.3

v0.3.3

v0.3.2

0.3.2

0.3.1

v0.3.1

0.3.0

v0.3.0

0.2.1

0.2.0

v0.2.0

0.1.9

0.1.8

0.1.7

v0.1.7

v0.1.6

Labels

Clear labels   

bug

  

cocoapod

  

duplicate

  

enhancement

  

feature-request

  

help wanted

  

help wanted

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

wontfix

No labels

bug

cocoapod

duplicate

enhancement

feature-request

help wanted

help wanted

invalid

pull-request

question

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/OAuthSwift#207

No description provided.