Xero API auth experience

Ian_Spencer · February 10, 2016, 3:16pm

I am in a bit of a pickle with Xero API’s and Xero, is there anybody who has been through this and come out the other side. We are simply trying to get past the first hurdle requesting the OAuth token. We have has success using the HTTPsecuresocket before and already have data flowing to and from ‘other’ applications, but not with OAuth. We think where we are going wrong is, not understanding the Nonce, not really sure what this is. We have or key and secret, and we derive our signature using HMAC-SHA1 from the secret, set version to 1.0…etc.

First pass question, has anybody done this, if so any pearls of wisdom?

This is where we have got to, its been through so many versions. It might spark someone to tell us what we are getting wrong. Is it the whole approach with headers? It works with others.

HomeWindow.SessionSocket.RequestHeader(“oauth_consumer_key”) = “TREQA0NERSXYCMBDH2TNKG9WD0EF0T”
HomeWindow.SessionSocket.RequestHeader(“oauth_signature_method”) = “HMAC-SHA1”
HomeWindow.SessionSocket.RequestHeader(“oauth-signature”) = “SU12LRK0Z34gb1z91gDvYQ5gax4=”
HomeWindow.SessionSocket.RequestHeader(“oauth-timestamp”) = “1455002226”
HomeWindow.SessionSocket.RequestHeader(“oauth-nonce”) = “ABCsdf”
HomeWindow.SessionSocket.RequestHeader(“oauth-version”) = “1.0”

New to the forum, so hope I haven’t asked too much, but thought it was worth a try. Thanks in advance for any help.

Wayne_Golding · February 10, 2016, 7:52pm

The nonce is just a unique number - number once. I generate a string using hex encoded random. Obviously you need a new nonce for every request.

Ian_Spencer · February 11, 2016, 4:16am

Thanks Wayne, now I am past the first issue and have replaced the dashed with underscore’s. Yes, if you look above I made a classic typo mistake. That explains a lot.

I am pleased you have explained what nonce meant, I won’t even go into what it means in London slang, and it isn’t a code.

I am now stuck on the signature not being authorised. I am using the Xojo algoritm SHA1 and Crypto.HMAC.

I am I have tried the consumer key as the key and the data as the scret, I have tried the other way round, I have tried just the secret as the key with no data, etc etc.

Would you know if I am even on the right track? Or have I completely misunderstood it.