Withings authorization

Question

I've got a problem with getting User Data Access Token from the Withings API (step 3 of the api doc): http://oauth.withings.com/api/doc#api-OAuth_Authentication-access_token

Service returns "Invalid signature" error.

Here is my methods:

private static String getSignature(String url, String params, String authSecret) throws UnsupportedEncodingException, NoSuchAlgorithmException, InvalidKeyException {
    StringBuilder base = new StringBuilder();
    base.append("GET&");
    base.append(url);
    base.append("&");
    base.append(params);

    byte[] keyBytes;
    if (authSecret != null) {
        keyBytes = (secret + "&" + authSecret + "&").getBytes(ENC);
    } else {
        keyBytes = (secret + "&").getBytes(ENC);
    }

    SecretKey key = new SecretKeySpec(keyBytes, HMAC_SHA1);

    Mac mac = Mac.getInstance(HMAC_SHA1);
    mac.init(key);
    Base64 base64 = new Base64();
    return new String(base64.encode(mac.doFinal(base.toString().getBytes(ENC))), ENC).trim();
}
public static AuthResponse getAccessToken(AuthRequest request) {
    try {
        CloseableHttpClient httpclient = HttpClients.createDefault();
        String url = "https://oauth.withings.com/account/access_token";
        URIBuilder builder = new URIBuilder(url);
        List<NameValuePair> valuePairs = new ArrayList<>();

        valuePairs.add(new BasicNameValuePair("oauth_consumer_key", key));
        valuePairs.add(new BasicNameValuePair("oauth_nonce", "" + (int) (Math.random() * 100000000)));
        valuePairs.add(new BasicNameValuePair("oauth_signature_method", "HMAC-SHA1"));
        valuePairs.add(new BasicNameValuePair("oauth_timestamp", "" + (System.currentTimeMillis() / 1000)));
        valuePairs.add(new BasicNameValuePair("oauth_token", request.getOauthToken()));
        valuePairs.add(new BasicNameValuePair("oauth_version", "1.0"));
        valuePairs.add(new BasicNameValuePair("userid", request.getUserId()));

        String signature = getSignature(URLEncoder.encode(url, ENC), URLEncoder.encode(URLEncodedUtils.format(valuePairs, ENC), ENC), request.getOauthTokenSecret());

        valuePairs.add(new BasicNameValuePair("oauth_signature", signature));

        builder.addParameters(valuePairs);

        URI uri = builder.build();

        HttpGet httpget = new HttpGet(uri);

        HttpResponse response = httpclient.execute(httpget);
        BufferedReader reader = new BufferedReader(new InputStreamReader(response.getEntity().getContent()));

        StringBuilder sb = new StringBuilder();
        String result;

        while ((result = reader.readLine()) != null) {
            sb.append(result);
        }

        return null;
    } catch (Exception e) {
        throw new RuntimeException("*Error during getAccessToken request");
    }
}

I also tried without "authSecret" parameter to generate signature (like in withings specification), tried to change order and place "oauth_signature" parameter alphabetically, but I had no success Can anyone help me? PS: at the previous two steps of the Api Documentation I successfully got the oauth_token, oauth_token_secret, userid using this signature generator.

Answer 1

In order to get STEP3 working, you've got to remove the second "&" from the line:

keyBytes = (secret + "&" + authSecret + "&").getBytes(ENC);

so it becomes:

keyBytes = (secret + "&" + authSecret).getBytes(ENC);