Fitbit Error: Invalid signature or token

[chrissm79]

After the user is redirected back to my application from FitBit, I am getting "Invalid signature or token" error message. I am unable to get the example to work either (same error). Didn't update any code in my app. Did something change?

[daviddesberg]

This should be fixed in master, please let me know

[kenvunz]

I can confirm the issue is fixed in master :+1:

[abaweja]

I am getting same error example code. I have tried few things and added some logging. Everything seems fine. Infact if i create the request with exactly same post header as being created by this library and execute in curl, it works absolutely fine. But somehow, i am not able to execute through this library.

[abaweja]

Finally after lot of debugging i got the reason. oauth_verifier is being sent as body also, which is probably unexpected by Fitbit or signature calculation is not including it. Removing body, fixed the problem.

[jhnferraris]

@abaweja How did you fix it? Did you just override it in the Fitbit service class or modified the AbstractService class?

[logical-and]

Can you please test the updated library? If the error still can be reproduced there, I will take a look on it. Thank you for bugreport.

[sisuwayn]

@logical-and I was having the same issue with PHPoAuthLib so I just tried your library (installed via composer "and/oauth") and I still get the same error - "Invalid signature or token"

[jhnferraris]

@logical-and Used your library (0.6). Didn't experience the "Invalid signature or token" error

[logical-and]

@jhnferraris Thanks for reporting. I happy to hear that :) @sisuwayn Can you please provide me more details, so I will be able to reproduce your error?

[jhnferraris]

@logical-and I've experienced it earlier.

I got the access token and token secret and send it to this set of codes:

$token = new \OAuth\OAuth1\Token\StdOAuth1Token();
$token->setRequestToken($oauth_token);
$token->setRequestTokenSecret($oauth_secret);
$token->setAccessToken($oauth_token);
$token->setAccessTokenSecret($oauth_secret);

$adapter = new \OAuth\Common\Storage\Memory();
$adapter->storeAccessToken('FitBit', $token);

$factory->setStorageAdapter($adapter);
$user_profile = $user_gateway->getProfile();

The response of $user_profile showed "Invalid signature or token" error

[logical-and]

@janakaonline But you said that you hadn't an error? :) Or it's a misunderstanding?

[sisuwayn]

@janakaonline you seem to be confusing the issue I think. I've tried a number of times here and still get the error. I tested the library with a facebook implementation and it works seamless.

@logical-and . So I've got a key and secret for the fitbit api.

• On my local development
• Enter that into the init.php file in the appropriate place.
• Load the fitbit.php example file.
• The pages loads with "Login with fitbit link", click link
• Takes me to the fit bit page with asking for permission for my application to access data (read only)
• Click "allow"

• I'm returned to my local dev url with the following error Array ( [errors] => Array ( [0] => Array ( [errorType] => oauth [fieldName] => oauth_access_token [message] => Invalid signature or token '3iErownua0O517ppc5iQps6vo/4=' or token '78c0f96a489a55cea7b2bf0222043ef1' )

  )

  [success] => )

So the library seems to negotiate through the request token all okay but just at the final step falls over.

[jhnferraris]

@logical-and What I experienced before was when converting the request token to an access token. Now I have the access token and token secret of the user. I want to access the details of that user using the tokens and when I try to query the profile of the user using this set of steps

$token = new \OAuth\OAuth1\Token\StdOAuth1Token();
$token->setRequestToken($oauth_token);
$token->setRequestTokenSecret($oauth_secret);
$token->setAccessToken($oauth_token);
$token->setAccessTokenSecret($oauth_secret);

$adapter = new \OAuth\Common\Storage\Memory();
$adapter->storeAccessToken('FitBit', $token);

$factory->setStorageAdapter($adapter);
$user_profile = $user_gateway->getProfile();

it returned ($user_profile)

Array ( [errors] => Array ( [0] => Array ( [errorType] => oauth [fieldName] => oauth_access_token [message] => Invalid signature or token '3iErownua0O517ppc5iQps6vo/4=' or token '78c0f96a489a55cea7b2bf0222043ef1' )

) [success] => )

[sisuwayn]

I just been trying to debug today and it looks like it's getting stuck at as @jhnferraris says the request to pull the user profile data (https://api.fitbit.com/1/user/-/profile.json). The signing at this point is causing the issue. Not sure why yet

[jhnferraris]

@sisuwayn How can we move this discussion here? The repository is more updated but it still experience the same error.

[jhnferraris]

Update:

I've logged the oauth_signature generated by the library and cross checked it with fitbit's debug tool in Step G using the acquired access token and secret. It seems that the signature from the library is different from the one in the debug tool.

Also manually generating the headers and using a curl in cli returned Invalid signature or token error. But the curl code generated from the debug tool returned a successful response.

Can anyone confirm this?

[sisuwayn]

finally worked this out. Basically the request is falling over at the https://api.fitbit.com/1/user/-/profile.json call.

When I traced everything it is the signature that is failing. It is failing because of the Base string used to encode the signature. There is an additional '/' in the base url .e.g. the url encoded is https://api.fitbit.com/1//user/-/profile.json and not https://api.fitbit.com/1/user/-/profile.json (see between the 1 and user).

I suppose there are 2 fixes here. Update the following value: protected $baseApiUri = 'https://api.fitbit.com/1/'; ==> remove slash

or

update /src/Common/Service/AbstractService.php::136 and remove the slash in the setPath function.

[jhnferraris]

@sisuwayn Nice. Confirmed it here. I think the proper fix will be removing the slash in the FitBit service class.

[jhnferraris]

@sisuwayn Where will you apply the fix? in and/oauth repo?

[sisuwayn]

I dono. I was just reporting the issue really. Someone with greater powers than me will need to sort that out I think. Not sure about the other oauth 1.0 services and how that will all be affected.

[logical-and]

No additional actions from you are required, I will take a care of fixes. :)

[jhnferraris]

@logical-and Nice! Will you be putting it in a stable version (0.7) now?

[logical-and]

0.7 is not stable now, but latest. Yes, I will put fix in a latest version.

[jhnferraris]

@logical-and Okay. Can you ping us on what package version we will use so I can update my composer file. Thanks in advance! :)

[ericzoo]

Bumping this up! Also affected here.

[logical-and]

Hey guys, just fixed it in #32, #33

Here is my response of profile request:

Please confirm is issue fixed now or not.

[ghost]

I'm affected too. To fix this issue I just overwrote it in FitBit.php

    /**
     * {@inheritDoc}
     */
    public function requestAccessToken($token, $verifier, $tokenSecret = null)
    {
        if (is_null($tokenSecret)) {
            $storedRequestToken = $this->storage->retrieveAccessToken($this->service());
            $tokenSecret = $storedRequestToken->getRequestTokenSecret();
        }
        $this->signature->setTokenSecret($tokenSecret);

        $bodyParams = array(
            'oauth_verifier' => $verifier,
        );

        $authorizationHeader = array(
            'Authorization' => $this->buildAuthorizationHeaderForAPIRequest(
                'POST',
                $this->getAccessTokenEndpoint(),
                $this->storage->retrieveAccessToken($this->service()),
                $bodyParams
            )
        );

        $headers = array_merge($authorizationHeader, $this->getExtraOAuthHeaders());

        //[] instead of $bodyParams is changed
        $responseBody = $this->httpClient->retrieveResponse($this->getAccessTokenEndpoint(), [], $headers);

        $token = $this->parseAccessTokenResponse($responseBody);
        $this->storage->storeAccessToken($this->service(), $token);

        return $token;
    }

Can someone put this into a release plase

[jhnferraris]

@sebastian301082 Fix is in the dev version here https://github.com/logical-and/php-oauth. You can use that.

[muneeb-arif]

Hi Everyone, i've followed all comments and downloaded latest update from git; but strange thing happen, It worked but for the first time only. Afterwards it gave same old error: INVALID TOKEN OR SIGNATURE. Kindly help me out troubleshoot the issue.

I tried another browser, cleared cache / cookies, but no luck, worked only for the first time. I tried on another system, same result, only worked for first time.