OAuth 1.0a REST API Authentication Error: Invalid Signature

everything · April 26, 2017, 2:57pm

When attempting to authenticate with the REST API I receive an invalid signature error. I’m passing the below as my base string:

POST&https%3A%2F%2Fgnerbdev.atlassian.net%2Fplugins%2Fservlet%2Foauth%2Frequest-token&oauth_consumer_key%3D3MVG9KI2HHAq33RwCPH5bNzAHbOgfiicjJ6HjvVfNhGU8aWXGl6ps.vsEzobCPqRXuDcmeV2Baw%3D%3D%26oauth_nonce%3D7188823967346491475%26oauth_signature_method%3DRSA-SHA1%26oauth_timestamp%3D1492306511

And then signing it using a shared cert that I have set up in the application links section. Since I am getting a decrypted string back from JIRA I’m confident that I have configured my application link correctly. Below is what JIRA Returns:

18:35:11:202 USER_DEBUG
[30]|DEBUG|oauth_problem=signature_invalid

&oauth_signature=<redacted because apparently atlassian doesn’t want me to put this in the question>

&oauth_signature_base_string=POST%26https%253A%252F%252Fgnerbdev.atlassian.net%252Fplugins%252Fservlet%252Foauth%252Frequest-token%26oauth_consumer_key%253D3MVG9KI2HHAq33RwCPH5bNzAHbOgfiicjJ6HjvVfNhGU8aWXGl6ps.vsEzobCPqRXuDcmeV2Baw%25253D%25253D%2526oauth_nonce%253D7188823967346491475%2526oauth_signature_method%253DRSA-SHA1%2526oauth_timestamp%253D1492306511

&oauth_signature_method=RSA-SHA1

This is my first time working with OAuth. I was able to get the REST API Working with basic authentication, I just want something more secure.

Update

I found this OAuth troubleshooting guide | Application Links Data Center and Server 9.0 | Atlassian Documentation a while back and at first I discounted it as it didn’t seem like it could be the cause.

I used requestb.in/vyqrg1vy?inspect (note this page will only be active for like 48 hours) and was able to determine that no referer was being passed. I set this manually in the header:

req.setHeader(‘Referer’,’ gnerb-dev-ed.my.salesforce.com/exec-anon’);

And the error still persisted. From what I can tell, the referer header is the primary way http determines the URI of the application making the request. Is this not correct? What other method would the server be expecting the URI to be provided?

Note:
I removed the HTTP from some of the url’s as the community automatically converted them to links and I can’t have that many links.

pvandevoorde · May 10, 2017, 9:29am

Just so we are clear: did you follow the steps on this page: https://developer.atlassian.com/cloud/jira/platform/jira-rest-api-oauth-authentication/?

And at which step did the above error happen?

everything · May 31, 2017, 6:30pm

Yes I have followed those steps. Unfortunately, document is only for Java and is using a Google API. This makes it especially difficult to track down the code that is building the HTTP request.

The error happens when I request a request token from the JIRA server.

siddhartha · January 19, 2018, 12:22pm

Agreed with @everything , document have only java integration example and is using a Google api. If you @pvandevoorde , could provide some proper doc or and reference so that we can use the follow in other language too.

Doc like, what will be the payload for which post request.

Example - Making a POST request on https://{project}.atlassian.net/plugins/servlet/oauth/request-token expect payload like

oauth_consumer_key:example
oauth_signature_method:RSA-SHA1
oauth_timestamp:1516339431
oauth_nonce:20171113121052483
oauth_signature:MIGfMA0GCSqGSIb3DQEBAQUAA4GNAsdfasdfsdDCBiQKBgQC3y9sc3nhe73xBHELMrd+hXew9↵zu8KXqs1wTlTfasda0LYNZ96hUIFRKz0R+wPbmo38Y/rghvywmasdEYl4TQfVqGuY7kyxi↵DJkz4JrGKYHnLEpuYGjZAaasdauWknU4Wsdl4A9ssuXgZ3YjoUYQasd94v0qcf1m0R9w/4F8C↵0hDqgoTBbcguvJ/8fQIDAQAB
oauth_callback:http://example.com

and Rather than that I am getting this

Error - net.oauth.OAuthException: java.security.SignatureException: Signature length not correct: got 632 but was expecting 128

here is the image -

vitor.andrade · March 28, 2018, 6:11pm

Are you passing the correct parameters in ConsumerKey and ConsumerSecret?

The ConsumerKey should be equal to OauthKey and the ConsumerSecret should be your generated Private Key, including the first and last lines.

Also, even though the documentation told me to copy the private key from the .pcks8 file, I only managed to generate the request key and access key when using the contents of the .pem file.

The docs for this type of authentication are terrible, and contains many mistakes. After a lot of struggle, I managed to generate the access key, but I still have not managed to use it to access a protected resource on the API.