Invalid signature for signature method HMAC-SHA1

Printable View

Oct 23rd, 2012, 10:17 AM
thedug

Invalid signature for signature method HMAC-SHA1

I periodically get this when testing and from what I can tell the input values match but the signatures don't

Douglas
Oct 23rd, 2012, 11:15 AM
thedug

I figured it out.

Turns out that the HMAC signature can have spaces which means that you need to URL encode the signature prior to adding it to the header.

Also the token secret comes back encoded so that needs to be decoded prior to signing.
Oct 23rd, 2012, 11:49 AM
Dave Syer

There was a fix last week for spaces in signatures. Can you try a snapshot and verify that it works in your use case (hopefully out of the box)?
Apr 18th, 2013, 09:35 PM
kevinme

Quote:

Originally Posted by thedug

I figured it out.

Turns out that the HMAC signature can have spaces which means that you need to URL encode the signature prior to adding it to the header.

Also the token secret comes back encoded so that needs to be decoded prior to signing.

@thedug, did you notice this issue on `spring-security-oauth-3.19.jar`?

Thanks.
Apr 19th, 2013, 03:11 AM
Dave Syer

3.19 is probably old code from the codehaus days. Please update to the latest from github/maven (org.springframework.security.oauth:spring-security-oauth).

All times are GMT -5. The time now is 01:41 PM.