Getting HTTP 401 on for access_token one some server

David S.309 · ‎01-11-2016

Hi guys,

We came across a strange issue, when trying to get a access token the the OAuth1 API, the successive calls to "request_token" and "authorize" are working fine, but its is time to access "https://api.dropbox.com/1/oauth/access_token", we receive an Unauthorized/401 response for the POST.

What is the more strange is that the exact same code is used on at least one other server without any issues.

Do you have an idea of what can cause this ? Thanks.

David.

Greg-DB · ‎01-11-2016

It's difficult to say off hand. Can you share some sample requests/responses showing the issue in detail? Be sure to redact secret values, but please include the headers/bodies. Thanks in advance!

David S.309 · ‎01-12-2016

Hi Gregory,

Thanks for your quick response:

We call to:

https://api.dropbox.com/1/oauth/access_token?oauth_consumer_key=sbbviyc3ydrd8n4&oauth_nonce=MTY5MDU3MDQ5MzY1MDk2OTYwMA==&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1452581278&oauth_token=UCrgcXsS1mbVjiKX&oauth_token_secret=YYYYY&oauth_version=1.0&oauth_signature=l0H7LPwqnAwwa1cEDhnJpCr13nQ%3D

The Request header:

Accept	`text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8`
Accept-Encoding	`gzip, deflate`
Accept-Language	`fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3`
Connection	`keep-alive`
Cookie	`language=fr; _ga=GA1.2.148585141.1451996517; JSESSIONID=19B84D1F6D6592685286D7FF53B5071F`
DNT	`1`
Host	`ocrqa.iriscloud.irislink.com`
Referer	`https://www.dropbox.com`
User-Agent	`Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0`

The Response header:

Connection	`close`
Content-Language	`fr`
Content-Length	`4241`
Content-Type	`text/html;charset=utf-8`
Date	`Tue, 12 Jan 2016 06:47:59 GMT`
Server	`Apache-Coyote/1.1`

As we use a Java servlet to perform POST/GET, the issue arise when post to the URL above when trying to fetch the response:

Small code sample:

URL iurl = new URL(url);

HttpURLConnection uc = null;
uc = (HttpURLConnection) iurl.openConnection(Proxy.NO_PROXY);
uc.setAllowUserInteraction(true);
uc.setInstanceFollowRedirects(true);
uc.setUseCaches(false);
uc.setRequestProperty("Connection", "close");
uc.setRequestProperty("User-Agent", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)");
uc.setRequestMethod("POST");
uc.setDoOutput(false);
uc.connect();

Is that what you need ?

Br,

David

Greg-DB · ‎01-12-2016

A few things to note:

- Are those all of the response headers? E.g., is there a X-Dropbox-Request-Id header?

- What's the response body?

- The response server headers contain unexpected values. E.g., the server header says "Apache-Coyote/1.1", but "nginx" is expected. Is it possible something is interfering with your connection?

- You're using HMAC-SHA1 signing, which can be hard to implement and debug. We highly recommend using PLAINTEXT instead. This blog post may be helpful.

- You're supplying a oauth_token_secret parameter, which isn't expected.

David S.309 · ‎01-13-2016

Hi,

In fact, we use a Java servlet (in a Apache Tomcat) to perform the call/Authorization flow.

I will look to get the Response Header more precisely. I will also look to use PLAINTEXT instead of HMAC-SHA1. The only things that bothers the team I'm in is that the existing code works flawlessly on at least two other servers.

I will post the response headers field value asap.

Thanks for your time.

David.

David S.309 · ‎01-15-2016

Hi,

Re-writing the OAuth part to use authorization header (instead of URL parameters) and using PLAINTEXT instead of HMAC-SHA1 for the signature have solved the issue.

Thanks for you time and quick answers !

Br,

David.

Getting HTTP 401 on for access_token one some server

Getting HTTP 401 on for access_token one some server

Top contributors to this post