Invalid signature for signature method HMAC-SHA1

**thedug** · Oct 23rd, 2012, 10:17 AM

I periodically get this when testing and from what I can tell the input values match but the signatures don't

Douglas

**thedug** · Oct 23rd, 2012, 11:15 AM

I figured it out.

Turns out that the HMAC signature can have spaces which means that you need to URL encode the signature prior to adding it to the header.

Also the token secret comes back encoded so that needs to be decoded prior to signing.

**Dave Syer** · Oct 23rd, 2012, 11:49 AM

There was a fix last week for spaces in signatures. Can you try a snapshot and verify that it works in your use case (hopefully out of the box)?

**kevinme** · Apr 18th, 2013, 09:35 PM

Originally Posted by thedug

I figured it out.

Turns out that the HMAC signature can have spaces which means that you need to URL encode the signature prior to adding it to the header.

Also the token secret comes back encoded so that needs to be decoded prior to signing.

@thedug, did you notice this issue on `spring-security-oauth-3.19.jar`?

Thanks.

**Dave Syer** · Apr 19th, 2013, 03:11 AM

3.19 is probably old code from the codehaus days. Please update to the latest from github/maven (org.springframework.security.oauth:spring-security-oauth).

Thread: Invalid signature for signature method HMAC-SHA1

Thread Tools

Display

Invalid signature for signature method HMAC-SHA1

Posting Permissions