Yes, your request for an access token should be signed with the
request token secret; that is the oauth_token_secret that you received
with your request token. Also, requests for access to APIs should be
signed with the access token secret, that is the oauth_token_secret
that you received with your access token. I'm surprised that the
service provider accepts requests that are signed without the token
secrets.
Here's a simpler way to construct the URL for requesting an access
token, or access to an API. It yields the same result, letting
oauth.js handle more of the details.
var accessor = {
consumerKey: '...',
consumerSecret: '...',
token: '...',
tokenSecret: '...'};
var message = {
method: "GET",
action: "http://...";,
parameters: [
['oauth_signature_method', 'HMAC-SHA1'],
['xoauth_requestor_id', guid],
['format', 'json']]};
OAuth.completeRequest(message, accessor);
var signedURL = OAuth.addToURL(message.action, message.parameters);
On Jun 17, 10:49 pm, Matt Raible <[email protected]> wrote:
> ... Looking
> at both Paul Donnelly's and yours, neither contains the "tokenSecret"
> in the accessor that's used to sign the access_token request, as well
> as any API requests. Am I correct in assuming that the tokenSecret
> (the "auth_token_secret" value returned after getting the initial
> token) is needed for these two calls?
>
> To be clear, I can reliably get a token and authorize it. After that,
> it seems like getting an access_token works 50% of the time and
> calling the api (with auth_token as a param in the URL) works 30% of
> the time.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [email protected]
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
