I am using OAuth 1.0 protocol to connect to Google Contacts service and fetch all contacts of a user. When I am requesting for the Request Token, one out of 3 times I am getting a 'signature_invalid' response from the Google Servers. How could this be possible:the same code works many time and sometimes it doesn't? If anyone wants to try, here its the test page : http://www.spats.in/nssc2/gmailContactsImport.php. In the first lines, it prints the base string that I have constructed. On the second line, it prints the response from the server. On the third line it prints the request secret if it receives it from the server, otherwise its gibberish. Try reloading the page a few time; you'll definitely get a signature_invalid response a few time.
Will this problem persist and I should take care to make changes in my code to resend the request in case a negative response is received, or am I doing something wrong?
Here is my code if anyone wants to have a look at it:
$_SESSION['uid']=31; // Just set to something for checking
$consumer_key="www.spats.in";
$secret="***********************"; //I've hidden it
$mt = microtime();$rand = mt_rand(); $nonce = md5($mt.$rand);
$time=time();
$key=urlencode(utf8_encode($secret))."&";
$url="https://www.google.com/accounts/OAuthGetRequestToken";
$params="oauth_callback=".urlencode("http://www.spats.in/nssc2/gmailContactsImport.php").
"&oauth_consumer_key=$consumer_key".
"&oauth_nonce=$nonce".
"&oauth_signature_method=HMAC-SHA1".
"&oauth_timestamp=".$time.
"&oauth_version=1.0".
"&scope=".urlencode("https://www.google.com/m8/feeds/");
$base_string = "GET&".urlencode($url).'&'.rawurlencode($params);
$signature = base64_encode(hash_hmac('sha1', $base_string, $key, true));
//Send off request
$params.="&oauth_signature=".$signature;
$result=file_get_contents($url."?".$params);
//Parse the result
$tokens=explode("&",$result);
$pos['oauth_token']=strpos($tokens[0],"=")+1;
$oauth_token=substr($tokens[0],$pos['oauth_token']);
$pos['oauth_secret']=strpos($tokens[1],"=")+1;
$oauth_secret=substr($tokens[1],$pos['oauth_secret']);
//Save request secret
$num=mysql_query("INSERT INTO google_auth_tokens (id,request_token_secret) values($_SESSION[uid],'$oauth_secret')");
$authorizeURL="https://www.google.com/accounts/OAuthAuthorizeToken";
header("Location:".$authorizeURL."?oauth_token=".$oauth_token);
UPDATED : As you can see if you visit the page I mentioned above and get an error, the base string constructed by me and Google exactly match everytime, so it means there may be some problem with the way I am signing the base string. I can't catch the problem in that. Can anyone detect any problem in that?
UPDATED : Here are two base strings, the former generated a 'signature_invalid' response and latter got through and gave back the request token :
GET&https%3A%2F%2Fwww.google.com%2Faccounts%2FOAuthGetRequestToken&oauth_callback%3Dhttp%253A%252F%252Fwww.spats.in%252Fnssc2%252FgmailContactsImport.php%26oauth_consumer_key%3Dwww.spats.in%26oauth_nonce%3D57e4656240c67b1e6a5bcbd5f9ecb2cf%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1308856148%26oauth_version%3D1.0%26scope%3Dhttps%253A%252F%252Fwww.google.com%252Fm8%252Ffeeds%252F
GET&https%3A%2F%2Fwww.google.com%2Faccounts%2FOAuthGetRequestToken&oauth_callback%3Dhttp%253A%252F%252Fwww.spats.in%252Fnssc2%252FgmailContactsImport.php%26oauth_consumer_key%3Dwww.spats.in%26oauth_nonce%3D734bab3909fea245a2ebcfefcea36c54%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1308856162%26oauth_version%3D1.0%26scope%3Dhttps%253A%252F%252Fwww.google.com%252Fm8%252Ffeeds%252F
Both are exactly same, except for the nonce and timestamp parameters, which ought to differ due to being sent at different times. I can't understand why one should generate an invalid signature while the other not.
