OAuth 1.0 encoding of parameters

[yannabraham]

it looks like there is a problem connecting to the fitbit api using the oauth1.0 method: after tokens are retrieved from the api, all calls are rejected with an invalid signature error.

It seems that the issue is with the oauth_signature function using curlEscape, while the OAuth 1.0 specification requires curlPercenEncode (see http://oauth.net/core/1.0/#encoding_parameters for details).

Changing the code solves the issue for the fitbit site, although I could not test whether this breaks anything for other api .

[hadley]

Could you provide a reproducible example? That'll help me develop a test case etc.

[yannabraham]

Sure:

key <- '<edited>'
secret <- '<edited>'
tokenURL <- 'http://api.fitbit.com/oauth/request_token'
accessTokenURL <- 'http://api.fitbit.com/oauth/access_token'
authorizeURL <- 'https://www.fitbit.com/oauth/authorize'

fbr <- oauth_app('fitbitR',key,secret)
fitbit <- oauth_endpoint(tokenURL,authorizeURL,accessTokenURL)

token <- oauth1.0_token(fitbit,fbr)
sig <- sign_oauth1.0(fbr,
    token=token$oauth_token,
    token_secret=token$oauth_token_secret
)

dta <- GET("http://api.fitbit.com/1/user/-/activities/steps/date/2012-08-01/1m.json",sig)
# this will fail unless using curlPercentEncode

is it ok if I send you key, secret, token and the like through a separate email?

[hadley]

Following that link to http://tools.ietf.org/html/rfc5849#page-29 suggests that even curlPercentEncode isn't quite right. I'll probably write my own to guarantee that it's correct.