I am trying to connect a user to my site with oauth. My test user is being sent to the netflix oauth login page, and clicking that I would like to link my accounts, I get a message that my accounts have been successfully linked. However, when I go to My account with the test user, it says "You don't have any authorized sites or applications" am I missing a step?
Hm, it seems that by adding a callback I've fixed the problem.. that isn't exactly clear, I should get an error when I don't use a callback if its required!
What should happen is:
1. You request a token by making a signed call to : http://api.netflix.com/oauth/request_token
2. You parse the returned URL encoded string for the temporary access token and secret
3. You send the user to the login url at: https://api-user.netflix.com/oauth/login signing with the temporary token and secret and including the application name.
4. *Once you know the user has signed in and agreed to allow your application access*, then and only then do you make the permanent access token request (signing with the temporary access token and secret) by calling http://api.netflix.com/oauth/access_token.
I've seen some apps call for the access_token early (which invalidates the temporary token). I've also seen some apps fail to properly sign their requests, leading to random 401's.
If you're using .Net, it's important that you DO NOT use the default HttpUtility.UrlEncode() method since it incorrectly uses lowercase hex encoding values (OAuth specifies upper case). You can use the OAuth.UrlEncode() method to properly encode values.
Hope that helps, but let us know if you need more assistance. If you do, it's really helpful to know what language and library you're using. Also, you can use the OAuthTest page (available off the "Resources" tab) to test your calls and verify that the signed URL your generating matches up with what we're expecting.
I am having a problem very similar to Chris Drackett's. All the initial steps work OK, I get the Netflix login page, the callback is made, but then when I try to exchange my request token for an access token I get a 401 saying
<status>
<status_code>401</status_code>
<message>Expired or invalid request token</message>
</status>
I don't think the token has expired, as I am using the callback. How can I check if I am sigining properly my token?
Well, the best solution is to use a good OAuth Library that handles signature generation for you. If you need to roll your own, you can use the OAuth Test Page to check your signature against one generated by a working library. (You can cut and paste in your own timestamp and nonce values, and if you click on the gray "advanced" link at the bottom right corner of the form, you can change the method and see the SBS that's generated. If you are not good Mr. Szopa and have no idea what any of that means, PLEASE use a library.)
In addition, Kent has put together a great, working tutorial for fetching auth signatures.
All of these are linked to on the Resources page. <http://developer.netflix.com/page/Resources>
Now, I failed to mention it, but I *am* using a library, Kirsten Jones' oauth.py. As I said, everything works fine until the moment when I am supposed to get the access token, after the user has entered her credentials in Netflix' login window. In one of your previous posts you mentioned that one shouldn't use .NET's HttpUtility.UrlEncode(). Is it possible that there's a similar issue with python's urllib.urlencode?
I don't believe so, but I don't have enough experience with Kirsten's library to say with any authority. The problem with the .Net implementation is that the default URL encoder uses lower case for hex encoding (e.g. %2b instead of %2B) While that's fine for URL encoding, it's a problem for things that use those characters as part of a cryptographic key (where %+2+b would not equal %+2+B)
There are a few other things you should be aware of:
1. The Temporary Request Token is only good for one request.
2. You can only make a permanent Request Token request after the user has logged in.
3. You must sign the login page with the same temporary request token you use to make the final Request Token request.
Those three things usually catch up a lot of folks. If you haven't done so yet, try going through Kent's walk through. It really does an excellent job describing the steps. If you can get a request token with that, but not your call, you'll have a better idea what the problem may be.
It turned out that I was adding GET parameters to the request, which invalidated the oauth signature. So, it was all my fault in the end. Thanks for your help, JR!
I am trying to connect a user to my site with oauth. My test user is being sent to the netflix oauth login page, and clicking that I would like to link my accounts, I get a message that my accounts have been successfully linked. However, when I go to My account with the test user, it says "You don't have any authorized sites or applications" am I missing a step?
Message edited by Chris Drackett 3 years ago
Tags
Anu – 3 years ago
Just to confirm, once the user authorized linking the account, was the request_token exchanged for access_token?
Chris Drackett – 3 years ago
When I try and do that I get the following:
<status>
<status_code>401</status_code>
<message>Expired or invalid request token</message>
</status>
So I guess the issue is before that.
Chris Drackett – 3 years ago
Hm, it seems that by adding a callback I've fixed the problem.. that isn't exactly clear, I should get an error when I don't use a callback if its required!
JR Conlin – 3 years ago
The callback isn't required.
What should happen is:
1. You request a token by making a signed call to : http://api.netflix.com/oauth/request_token
2. You parse the returned URL encoded string for the temporary access token and secret
3. You send the user to the login url at: https://api-user.netflix.com/oauth/login signing with the temporary token and secret and including the application name.
4. *Once you know the user has signed in and agreed to allow your application access*, then and only then do you make the permanent access token request (signing with the temporary access token and secret) by calling http://api.netflix.com/oauth/access_token.
I've seen some apps call for the access_token early (which invalidates the temporary token). I've also seen some apps fail to properly sign their requests, leading to random 401's.
If you're using .Net, it's important that you DO NOT use the default HttpUtility.UrlEncode() method since it incorrectly uses lowercase hex encoding values (OAuth specifies upper case). You can use the OAuth.UrlEncode() method to properly encode values.
Hope that helps, but let us know if you need more assistance. If you do, it's really helpful to know what language and library you're using. Also, you can use the OAuthTest page (available off the "Resources" tab) to test your calls and verify that the signed URL your generating matches up with what we're expecting.
Ryszard Szopa – 3 years ago
Hi,
I am having a problem very similar to Chris Drackett's. All the initial steps work OK, I get the Netflix login page, the callback is made, but then when I try to exchange my request token for an access token I get a 401 saying
<status>
<status_code>401</status_code>
<message>Expired or invalid request token</message>
</status>
I don't think the token has expired, as I am using the callback. How can I check if I am sigining properly my token?
I am using Python.
Ryszard Szopa – 3 years ago
OK, the token indeed turned out to be expired. However, I am still getting the 'Invalid Signature' error.
JR Conlin – 3 years ago
Well, the best solution is to use a good OAuth Library that handles signature generation for you. If you need to roll your own, you can use the OAuth Test Page to check your signature against one generated by a working library. (You can cut and paste in your own timestamp and nonce values, and if you click on the gray "advanced" link at the bottom right corner of the form, you can change the method and see the SBS that's generated. If you are not good Mr. Szopa and have no idea what any of that means, PLEASE use a library.)
In addition, Kent has put together a great, working tutorial for fetching auth signatures.
All of these are linked to on the Resources page. <http://developer.netflix.com/page/Resources>
Ryszard Szopa – 3 years ago
JR, thanks for your answer.
Now, I failed to mention it, but I *am* using a library, Kirsten Jones' oauth.py. As I said, everything works fine until the moment when I am supposed to get the access token, after the user has entered her credentials in Netflix' login window. In one of your previous posts you mentioned that one shouldn't use .NET's HttpUtility.UrlEncode(). Is it possible that there's a similar issue with python's urllib.urlencode?
JR Conlin – 3 years ago
I don't believe so, but I don't have enough experience with Kirsten's library to say with any authority. The problem with the .Net implementation is that the default URL encoder uses lower case for hex encoding (e.g. %2b instead of %2B) While that's fine for URL encoding, it's a problem for things that use those characters as part of a cryptographic key (where %+2+b would not equal %+2+B)
There are a few other things you should be aware of:
1. The Temporary Request Token is only good for one request.
2. You can only make a permanent Request Token request after the user has logged in.
3. You must sign the login page with the same temporary request token you use to make the final Request Token request.
Those three things usually catch up a lot of folks. If you haven't done so yet, try going through Kent's walk through. It really does an excellent job describing the steps. If you can get a request token with that, but not your call, you'll have a better idea what the problem may be.
Ryszard Szopa – 3 years ago
It turned out that I was adding GET parameters to the request, which invalidated the oauth signature. So, it was all my fault in the end. Thanks for your help, JR!
JR Conlin – 3 years ago
No Worries! Glad to hear you figured it out.