Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


400 Errors coming back from Vimeo #4

evz opened this Issue · 2 comments

2 participants

evz commented

So, I don't know if this is something new, because I'm just now dusting off some code that I haven't touched since last fall, but I've been running into issues using this API wrapper today and wondered if there was something missing here.

First a bit of context. I'm using this inside a Django application to create a decorator for views that need to access the Vimeo API. The code I was using looks a bit like this:

import oauth2 as oauth
from django.conf import settings
from django.http import HttpResponseRedirect

def require_vimeo_auth(view):
    """View decorator, redirects users to Vimeo when no valid
    authentication token is available."""

    def protected_view(request, *args, **kwargs):
        request.session['next'] = request.path
        if 'vimeo_access_token' in request.session:
            vimeo_access_token = request.session['vimeo_access_token']
            vimeo_access_secret = request.session['vimeo_access_secret']
            vimeo_access_token = None
            vimeo_access_secret = None

        v = vimeo.VimeoClient(key=settings.VIMEO_API_KEY, secret=settings.VIMEO_API_SECRET, token=vimeo_access_token, token_secret=vimeo_access_secret)
        if vimeo_access_token:
            # We have a token, but it might not be valid
            except vimeo.VimeoAPIError:
                vimeo_access_token = None
                vimeo_access_secret = None
                del request.session['vimeo_access_token']
                del request.session['vimeo_access_secret']
        if not vimeo_access_token:
            # No valid token, so redirect to Vimeo
            request.session['vimeo_token'] = v.token.key
            request.session['vimeo_token_secret'] = v.token.secret
            url = v.get_authorization_url()
            return HttpResponseRedirect(url)

        # If the token is valid, we can call the decorated view.
        return view(request, *args, **kwargs)

    return protected_view

It's basically lifted directly from the excellent python flickrapi docs and worked fine until I started poking around in there this morning. Whenever I call the get_request_token method, Vimeo is giving me a 400 error back. I did a bit of digging and it seems that the reason it's a 400 and not something like a 401, is because the Vimeo OAuth process now requires that you send the callback url as part of the body of the request as well as in the authorization header. In fact, the specific error message that I was getting said as much.

However, it seems that there may be something larger going on here because whenever I try the authentication process using the oauth2 module, I'm unable to put the signature for the request together in a way that Vimeo likes. It returns a 401 saying that the signature is bad.

Using the python-requests module, I was able to get an oath_token and secret back from Vimeo, but it only worked once and I haven't tracked down what it was that I changed. Here's how that worked:

import requests
import random
import hmac
import time
import oauth2 as oauth
from django.conf import settings

url = ''
callback = ''
nonce = str(random.randint(0, 100000000))
timestamp = str(int(time.time()))

params = {
    'oauth_callback': callback,
    'oauth_nonce': nonce,
    'oauth_signature_method': 'HMAC-SHA1',
    'oauth_timestamp': timestamp,
    'oauth_version': '1.0'
consumer = oauth.Consumer(key=settings.VIMEO_API_KEY, secret=settings.VIMEO_API_SECRET)
params['oauth_consumer_key'] = consumer.key
req = oauth.Request(method='GET', url=url, parameters=params)
signature_method = oauth.SignatureMethod_HMAC_SHA1()
req.sign_request(signature_method, consumer, None)
header_list = []
for k,v in req.items():
    header_list.append(k + '=' + v + '')
headers = {'Authorization': ','.join(header_list)}
r = requests.get(url, headers=headers)

It's a bit weird but it worked. Anyways, I'm starting to think Vimeo may be having issues but before I start bombing them, I'd like to get some kind of verification one way or the other.


dkm commented

thanks for the feedback and the very detailed study of your problem. Unfortunately, I'm not really maintaining this module anymore (lack of usefulness...). I've just pulled a merge from someone linking to your ticket with a patch dealing with the callback during the oauth process. Maybe this patch will also fix your problem ?

evz commented

It looks like that addresses the issue I was having. I went ahead and forked this repo and will go ahead and submit a pull request the next time I run into an issue.

@evz evz closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.