我的ETrade OAuth获取令牌请求有什么问题？

Question

服务器正在响应一条不太有用的消息。

  

无法获取请求令牌：请求https://etwssandbox.etrade.com/oauth/sandbox/request_token?oauth_callback=oob&oauth_consumer_key=aaf0812a4bcc6e4c21783af47cf88237&oauth_nonce=3495463522&oauth_signature=ykqRaZc18GwIoqHtYqtxzsMq4xs%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1371092839&oauth_version=1.0失败，HTTP / 1.1 400错误请求

Connection: close
Content-Length: 62
Client-Date: Thu, 13 Jun 2013 03:07:19 GMT
Client-Peer: 12.153.224.230:443
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
Client-SSL-Cert-Subject: /C=US/ST=New York/L=New York/O=ETRADE FINANCIAL CORPORATION/OU=Global Information Security/CN=etwssandbox.etrade.com
Client-SSL-Cipher: RC4-MD5

<html><body><b>Http/1.1 400 Bad Request</b></body> </html>

好的我会尝试使用标题。存在所有必需参数。

  

$ wget -d -O- --header ='授权：OAuth realm =“”，oauth_callback =“oob”，oauth_consumer_key =“aaf0812a4bcc6e4c21783af47cf88237”，oauth_nonce =“3495463522”，oauth_signature =“ykqRaZc18GwIoqHtYqtxzsMq4xs％3D”，oauth_signature_method =“HMAC-SHA1”，oauth_timestamp =“1371092839”，oauth_version =“1.0”''https://etwssandbox.etrade.com/oauth/sandbox/request_token'

Setting --output-document (outputdocument) to -
Setting --header (header) to Authorization: OAuth realm="",oauth_callback="oob",oauth_consumer_key="aaf0812a4bcc6e4c21783af47cf88237",oauth_nonce="3495463522",oauth_signature="ykqRaZc18GwIoqHtYqtxzsMq4xs%3D",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1371092839"
DEBUG output created by Wget 1.13.4 on cygwin.

URI encoding = `UTF-8'
--2013-06-12 23:08:33--  https://etwssandbox.etrade.com/oauth/sandbox/request_token
Resolving etwssandbox.etrade.com (etwssandbox.etrade.com)... 12.153.224.230, 198.93.34.230
Caching etwssandbox.etrade.com => 12.153.224.230 198.93.34.230
Connecting to etwssandbox.etrade.com (etwssandbox.etrade.com)|12.153.224.230|:443... connected.
Created socket 3.
Releasing 0x80733128 (new refcount 1).

---request begin---
GET /oauth/sandbox/request_token HTTP/1.1
User-Agent: Wget/1.13.4 (cygwin)
Accept: */*
Host: etwssandbox.etrade.com
Connection: Keep-Alive
Authorization: OAuth realm="",oauth_callback="oob",oauth_consumer_key="aaf0812a4bcc6e4c21783af47cf88237",oauth_nonce="3495463522",oauth_signature="ykqRaZc18GwIoqHtYqtxzsMq4xs%3D",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1371092839"

---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 400 Bad Request
Content-Length:62
Connection: close

---response end---
400 Bad Request
2013-06-12 23:08:34 ERROR 400: Bad Request.

那仍然没有用。让我验证签名。请注意我的密钥和秘密是正确的。

第一个URL对所有参数进行编码，以形成用于签名的基本字符串。

  

$ perl -MURI :: Escape -e“print uri_escape（'oauth_callback = oob＆amp; oauth_consumer_key = aaf0812a4bcc6e4c21783af47cf88237＆amp; oauth_nonce = 3495463522＆amp; oauth_signature_method = HMAC-SHA1＆amp; oauth_timestamp = 1371092839＆amp; oauth_version = 1.0'）”

     

oauth_callback％3Doob％26oauth_consumer_key％3Daaf0812a4bcc6e4c21783af47cf88237％26oauth_nonce％3D3495463522％26oauth_signature_method％3DHMAC-SHA1％26oauth_timestamp％3D1371092839％26oauth_version％3D1.0

现在使用HMAC-SHA1散列，使用Base64进行编码（结尾没有换行符），并对生成的签名进行URL编码。

在消费者秘密的末尾有一个＆符号，因为我们还没有令牌秘密（它是空的）。

  

$ perl -MDigest :: HMAC_SHA1 = hmac_sha1 -MMIME :: Base64 -MURI :: Escape -e“print uri_escape（encode_base64（hmac_sha1（'GET＆amp; https％3A％2F％2Fetwssandbox.etrade.com％2Foauth％2Fsandbox ％2Frequest_token＆amp; oauth_callback％3Doob％26oauth_consumer_key％3Daaf0812a4bcc6e4c21783af47cf88237％26oauth_nonce％3D3495463522％26oauth_signature_method％3DHMAC-SHA1％26oauth_timestamp％3D1371092839％26oauth_version％3D1.0'，'xxxxxxxxxxxxxxxxxxxx＆amp;'），''））“

ykqRaZc18GwIoqHtYqtxzsMq4xs%3D

此签名与上述内容相符。

规格如下：http://oauth.net/core/1.0a/#signing_process

ETrade规格在这里：https://us.etrade.com/ctnt/dev-portal/getDetail?contentUri=V0_Documentation-AuthorizationAPI-GetRequestToken

Answer 1

ETrade的文档已被破坏。它们在Sandbox环境中指定使用不同的主机和URL

https://us.etrade.com/ctnt/dev-portal/getContent?contentUri=V0_Documentation-DeveloperGuides-Sandbox

但是对于OAuth，他们没有。那部分从未被提及过，我必须查看其中一个SDK的源代码才能找到。

|Environment| URL |
|Production |https://etws.etrade.com/{module}/rest/{API}  |
|Sandbox    |https://etwssandbox.etrade.com/{module}/sandbox/rest/{API} |