Amazon FPS Return URL Validation with verifySignature PHP api returning "InvalidSignature"

Question

I'm trying to validate the return URL of Amazon FPS CBUI after the client confirm the payment in the CBUI. I 'm using the code examples from Amazon

    public static function test() {
    $utils = new Amazon_FPS_SignatureUtilsForOutbound();

    $params["signature"] = $_GET['signature'];
    $params["expiry"] = "10/2016";
    $params["signatureVersion"] = $_GET['signatureVersion'];
    $params["signatureMethod"] = $_GET['signatureMethod'];
    $params["certificateUrl"] = $_GET['certificateUrl'];
    $params["tokenID"] = $_GET['tokenID'];
    $params["status"] = $_GET['status'];
    $params["callerReference"] = $_GET['callerReference'];

    $urlEndPoint = "http://example.com/Amazon/IpnReturnUrlValidation/Samples/ReturnUrlVerificationSampleCode.php"; //Your return url end point. 
    print "Verifying return url signed using signature v2 ....\n";
    //return url is sent as a http GET request and hence we specify GET as the http method.
    //Signature verification does not require your secret key
    print "Is signature correct: " . $utils->validateRequest($params, $urlEndPoint, "GET") . "\n";
}

All the parameters that I use from the superglobal variable $_GET have the correct value (I think) but I always get this response:

<Response><Errors><Error><Code>InvalidSignature</Code><Message>The request signature we calculated does not match the signature you provided.</Message></Error></Errors><RequestID>bb922e49-af5e-43ba-a3d0-464ce2851222</RequestID></Response>

I also compared the value from the signature param that Amazon returns vs the one I send to the VerifySignature API and they look the same.

Answer 1

I know this is a little bit late but I solved this problem and posting the solution maybe could help someone else with the same problem.

Apparently I was missing some of the params that Amazon sends through the querystring. In order to validate the signature properly you need to pass EVERY parameter that they send to you. So, I used a construction similar to this:

foreach ($_GET as $key => $value) { }

To add every $_GET parameter/value to the $params and finally sending that back to Amazon to get it validated.