Vimeo - 401 Error (Bad Signature) on retrieveRequestToken (using 1.2.SNAPSHOT)

[GoogleCodeExporter]

What steps will reproduce the problem?
1.  Use signpost to integrate with Vimeo's API
2.  Attempt to retrieve the initial request token / auth URL

What is the expected output? What do you see instead?

 The error message from Vimeo says "401 Unauthorized - Invalid signature - The 
oauth_signature passed was not valid"

What version of the product are you using? On what operating system?

We're building signpost from the 1.2.SNAPSHOT branch on github 
(kaeppler-signpost-cfca5b4).
We're using signpost-core only, with the default provider and consumer.
We're building it with eclipse, and running it in Java 1.6, on Mac OS X

Please provide any additional information below.

Vimeo has pretty decent docs, although they seem somewhat oriented towards PHP 
users
  - http://vimeo.com/api/docs/advanced-api
  - http://vimeo.com/api/docs/authentication
  - http://vimeo.com/api/docs/oauth

We tried the new API for setSendEmptyTokens(boolean) with both true and false, 
both resulted 
in the same 401 error.

Also, just wanted to note that we've used identical code with signpost to 
successfully integrate 
with both Twitter and Google/YouTube  (Thanks very much for a great library!).  
So something 
different is going on with Vimeo....

Original issue reported on code.google.com by carrotsa...@gmail.com on 27 Jan 2010 at 7:24

[GoogleCodeExporter]

Hi,

please post code I can use to reproduce this problem. I can't (and won't) read 
through 
the docs of every OAuth provider out there to look for peculiarities. 
Executable code 
that let's me reproduce the problem will help me fix this issue more quickly.

Meanwhile, please try the latest snapshot build I attached and check if it 
fixes your 
problem. There have been a quite many changes to the underlying code base 
lately.

Original comment by m.kaepp...@gmail.com on 27 Jan 2010 at 9:18

Attachments:

• signpost-core-1.2-SNAPSHOT.jar

[GoogleCodeExporter]

Just tested with the latest Snapshot, and I don't get a 401.

Any chance that you're passing a callback URL but your application is not 
registered 
to be able to receive callbacks? Some OAuth providers send a 401 if you're 
trying to 
get a callback but your app is not set to be a web app.

Try calling provider.retrieveRequestToken with a callback value of 
OAuth.OUT_OF_BAND. 
If that gets rid of the 401 and you're running a Web app, please go to your app 
settings on vimeo.com and configure it to allow callbacks.

Original comment by m.kaepp...@gmail.com on 27 Jan 2010 at 9:53

[GoogleCodeExporter]

Hi Matthias-

Thanks very much for trying that out!  That was the one thing I didn't think to 
try, since as far as I can tell there 
is no way to change the app settings on Vimeo to allow callbacks, so I assumed 
it must allow them.

I will now post an issue to vimeo, since it's very inconvenient for the 
development process to not be able to use 
custom callbacks (specific to the developer's local machine..)

Although it's less important now, I did write up sample code to attach here, 
but you beat me to it :-)  I'll include 
it anyhow, it might be useful to you or someone else in the future.

Thanks again, 
  -Dave Fogel

Original comment by carrotsa...@gmail.com on 27 Jan 2010 at 10:29

Attachments:

• VimeoOAuthTest.java

[GoogleCodeExporter]

Thanks. Yes, it occurred to me since Twitter does the same thing, and it looks 
as if 
Vimeo in fact uses the same OAuth implementation (judging by the URLs, I 
believe 
they're both Rails apps and use the Ruby OAuth gem).

As to the settings. It should work if you simply enter your callback URL during 
app 
registration:

"Application Callback URL -- This is the URL we'll send a user back to when 
authenticating. Leave this blank if your application is a desktop application."

Did you fill that out with your callback URL? If you didn't and then try to 
receive 
tokens over a callback, you will see that dratted 401.

Original comment by m.kaepp...@gmail.com on 27 Jan 2010 at 10:48

[GoogleCodeExporter]

Actually, we had already filled in a callback in the vimeo application 
settings.  It's just that we were 
requesting that same callback with the retrieveRequestToken call as well.  So 
Vimeo seems to be actively 
forbidding custom callback URLs, and returning a (very misleading "Bad 
Signature" 401 response when 
anything besides "oob" is passed as the callback.

Incidentally, we're passing a similar custom callback to Twitter, and they seem 
fine with it.  Maybe they're 
using a different version of the ruby library or something?

Altogether, we're finding it somewhat dismaying the extent to which different 
service providers seem to 
implement the oauth standard in different ways- it must drive you crazy!

(Also, we're about to try to integrate with Flickr, which seems to require an 
auth process almost exactly like 
OAuth, but not actually the same.  You'd think they'd change over to actually 
use the standard which they 
helped create!  Have you thought about adding a flickr mode to the signpost 
project?  I'm guessing you 
probably want to stick with straight oauth... :-)

Thanks again,
  -Dave Fogel

Original comment by carrotsa...@gmail.com on 27 Jan 2010 at 11:13

[GoogleCodeExporter]

Haha, tell me about it! I really can be frustrating, but it's probably the spec 
which is to blame. In fact, there is 
currently an an IETF proposal (the "Hammer-draft") which aims to rewrite the 
OAuth standard using wording 
which is actually comprehensible by human beings. That should help in having a 
clear and solid basis for future 
implementations.

As to Flickr, no, I don't have any plans to do this. I'm actually surprised 
they haven't migrated to OAuth yet. After 
all, it was largely Flickr's auth standard which influenced the design behind 
OAuth.

Original comment by m.kaepp...@gmail.com on 28 Jan 2010 at 8:54

[GoogleCodeExporter]

I consider this fixed. Feel free to reopen if you still have problems.

Original comment by m.kaepp...@gmail.com on 31 Jan 2010 at 7:08

• Changed state: Invalid

[GoogleCodeExporter]

Just a suggestion before running the attached example --- 

Modify the Static VIMEO URL values from 

private static final String VIMEO_REQUEST_TOKEN_URL = 
"http://www.vimeo.com/oauth/request_token";
private static final String VIMEO_ACCESS_TOKEN_URL = 
"http://www.vimeo.com/oauth/access_token";
private static final String VIMEO_AUTHORIZATION_URL = 
"http://www.vimeo.com/oauth/authorize?permission=read";

to

private static final String VIMEO_REQUEST_TOKEN_URL = 
"http://vimeo.com/oauth/request_token";
private static final String VIMEO_ACCESS_TOKEN_URL = 
"http://vimeo.com/oauth/access_token";
private static final String VIMEO_AUTHORIZATION_URL = 
"http://vimeo.com/oauth/authorize?permission=read";

Original comment by vishal.g...@gmail.com on 7 Nov 2011 at 12:56

[GoogleCodeExporter]

For me using

String authUrl = provider.retrieveRequestToken(consumer,OAuth.OUT_OF_BAND);

is sending exception

Exception in thread "main" 
oauth.signpost.exception.OAuthNotAuthorizedException: Authorization failed 
(server replied with a 401). This can happen if the consumer key was not 
correct or the signatures did not match.
        at oauth.signpost.basic.DefaultOAuthProvider.retrieveToken(DefaultOAuthProvider.java:74)
        at oauth.signpost.AbstractOAuthProvider.retrieveRequestToken(AbstractOAuthProvider.java:66)

Original comment by 365media...@gmail.com on 8 Nov 2011 at 2:58