2

I am trying to authenticate with the withings api. I have got the consumer key and secret correctly and am able to get to the app page, and I can also authenticate with the api.

The problem is that it is not coming back, instead showing a 404 error: page not found. I have cross-checked the callback url many times.

Here's the url.

This is the code I am trying to authenticate with: Documentation, Gem1, Gem2.

I want to get the user back to my application.

@callback_url = 'http://127.0.0.1:3000/auth/withings/callback'
    @consumer = OAuth::Consumer.new(WITHINGS_KEY, WITHINGS_SECRET, {
        :site => 'https://oauth.withings.com',
        :request_token_path => '/account/request_token',
        :access_token_path => '/account/access_token',
        :authorize_path => '/account/authorize'
    })
    @request_token = @consumer.get_request_token(:oauth_callback => @callback_url)
    session[:request_token] = @request_token
    redirect_to @request_token.authorize_url(:oauth_callback => @callback_url)
Austin Mullins
  • 7,307
  • 2
  • 33
  • 48
Ashwin Yaprala
  • 2,737
  • 2
  • 24
  • 56

2 Answers2

2

Well. I think, you should not use third-party libraries, because 

@request_token.authorize_url(:oauth_callback => @callback_url)

return incorrect url.

Try to make your own implementation of OAuth.

1) Use HMAC-SHA1 algorithm for string:

GET&https%3A%2F%2Foauth.withings.com%2Faccount%2Frequest_token&oauth_callback%3Dhttp%3A%2F%2F127.0.0.1%3A3000%2Fauth%2Fwithings%2Fcallback%26oauth_consumer_key%3D{WITHINGS KEY}%26oauth_nonce%3D{RANDOM STRING}%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D{CURRENT TIME}%26oauth_version%3D1.0

This string contains 3 parts: {METHOD} + "&" + {ENCODED REQUEST URL} + "&" + {ENCODED REQUEST QUERY PART}

SECRET KEY for signing: {WITHINGS SECRET}+"&"

In result encode this sign.

2) Send request to the URL:

https://oauth.withings.com/account/request_token?oauth_callback=http%3A%2F%2F127.0.0.1%3A3000%2Fauth%2Fwithings%2Fcallback&oauth_consumer_key={WITHINGS KEY}&oauth_nonce={NONCE FROM STEP 1}&oauth_signature={RESULT OF STEP 1}&oauth_signature_method=HMAC-SHA1&oauth_timestamp={TIMESTAMP FROM STEP 1}&oauth_version=1.0

3) Parse response body. Get OAUTH TOKEN and OAUTH SECRET.

4) Use HMAC-SHA1 algorithm for string:

GET&https%3A%2F%2Foauth.withings.com%2Faccount%2Fauthorize&oauth_callback%3Dhttp%3A%2F%2F127.0.0.1%3A3000%2Fauth%2Fwithings%2Fcallback%26oauth_consumer_key%3D{SECRET KEY}%26oauth_nonce%3D{RANDOM STRING}%26oauth_signature_method%3DHMAC-SHA1%26oauth_token%3D{OAUTH TOKEN}%26oauth_timestamp%3D{CURRENT TIME}%26oauth_version%3D1.0

SECRET KEY for signing: {WITHINGS SECRET}+"&" + {OAUTH SECRET}

In result encode this sign.

5) Redirect user to the URL:

https://oauth.withings.com/account/rauthorize?oauth_callback=http%3A%2F%2F127.0.0.1%3A3000%2Fauth%2Fwithings%2Fcallback&oauth_consumer_key={WITHINGS KEY}&oauth_nonce={NONCE FROM STEP 4}&oauth_signature={RESULT OF STEP 4}&oauth_signature_method=HMAC-SHA1&oauth_token={OAUTH TOKEN}&oauth_timestamp={TIMESTAMP FROM STEP 4}&oauth_version=1.0
Aries
  • 128
  • 5
0

There are missing oauth_consumer_key, oauth_signature and other oauth fields in the example link.

Aries
  • 128
  • 5
  • WITHINGS_KEY and WITHINGS_SECRET are the consumer key and consumer secret. Withings din't gave any oauth_signature, It gave ony consumer key and secret – Ashwin Yaprala Mar 04 '13 at 07:15
  • Yes. But look at the example request from the documentation. A request must contain next fields: oauth_callback (encoded redirect url), oauth_consumer_key (WITHINGS_KEY), oauth_nonce (random string), oauth_signature (request signing with Consumer Secret), oauth_signature_method (signing method (HMAC-SHA1)), oauth_timestamp (current time), oauth_token (request token received from https://oauth.withings.com/account/request_token), oauth_version (1.0). – Aries Mar 04 '13 at 19:26
  • is the call_back required to be a live site, in order to get the response? I'm getting an error 500 and wondering if I now need a live site up. – Erik Jul 08 '14 at 18:17