[DUG] Xero private API (OAuth)
Jolyon Smith
jsmith at deltics.co.nz
Tue Jul 8 16:13:49 NZST 2014
How you have encoded your private key could be crucial.
You will note that the RSAUtils...() methods that accept string keys assume
that these are provided as base64 encoded. It's been a while since I
worked with them but I believe the PCKS#8 format uses octet strings and you
cannot just substitute one for the other. You would first have to
Hex2Bin() the octet string then base64 encode the result.
This may seem a bit "round the houses", but bear in mind that the code
Cameron has shared was never intended as a general purpose wrapper for
OAuth.
As for validating signatures, this is a tricky exercise. There are some
online resources that you can use to generate signatures which you could
use to compare your signatures with other results, but I didn't find these
to be much use. It's easy to tell that your signature is wrong. It's all
but impossible to figure out /why/.
On 8 July 2014 15:32, Robert Martin <rob at chreos.co.nz> wrote:
> Brilliant !
>
> I am almost there. My test code, shown below, now runs but returns
> 'oauth_problem=signature_invalid&oauth_problem_advice=Failed%20to%20validate%20signature'
>
>
>
> var
> HTTPStream : TStringStream;
> FormParams : TStringList;
> URL : AnsiString;
> HTTPResonse : AnsiString;
> begin
> FormParams := TStringList.Create;
> HTTPStream := TStringStream.Create('');
> try
> URL := 'https://api.xero.com/api.xro/2.0/TaxRates';
>
> try
> OAuthSignRequest(fIdHTTP.Request, 'TaxRates', URL, FormParams);
> fIdHTTP.Get(URL, HTTPStream);
> except
> on e : EIdHTTPProtocolException do begin
> Memo1.Text := e.ErrorMessage;
> end;
> end;
> HTTPStream.Position := 0;
> HTTPResonse := HTTPStream.ReadString(HTTPStream.Size);
>
> if (HTTPResonse <> '') then begin
> Memo1.Text := HTTPResonse;
> end;
> finally
> HTTPStream.Free;
> FormParams.Free;
> end;
>
>
> //This is all the code in OAuthSignRequest(...)
> classFloOAuth.OAuthSignRequest(aRequest, aMethod, aURL, aFormParams,
> fConsumerKey, fConsumerKey, PRIVATE_KEY);
>
>
> For my private key, I have opened xero_privatekey.pcks8 and set it up as a
> constant (without header, footer and Carriage returns)
>
>
> I guess there is some sort of problem with either my Encoding or my
> Private key (Which comes from xero_privatekey.pcks8, created by OPenSSL as
> per xero instructions). I suspect its the encoding and have rechecked the
> code, I discovered a number of places doing a UTF8Encode() on string values
> which I had changed to AnsiString, so I have changed them where appropriate
> to UTF8String.
>
> Do you my any change know if there is an easy way to validate me
> signature?
>
> Cheers
> Rob
>
>
>
> On 8/07/2014 2:45 p.m., Jolyon Smith wrote:
>
> From the Xero API docs site:
>
> Once you have added a private app you will be given a consumer key to
>> use. *The consumer key is also used as the access token. The consumer
>> secret is not used for private apps*.
>
>
> In the original implementation from which the sample code was provided,
> the application allows for Consumer Key, Access Token, Consumer Secret and
> App Secret all to be configured separately if/as required, and whatever is
> configured is then passed to the request signing method. This was to
> support potential OAuth based API's other than Xero which might not
> necessarily employ the same rules.
>
> i.e in that application the Consumer Key and Token are configured with
> the same value.
>
> In your case, for a Xero private app, use the overload which does not
> require any Consumer Secret but only Consumer Key, Token (for Xero, using
> the same value as the Consumer Key) and your application Private Key.
>
>
>
> On 8 July 2014 14:14, Robert Martin <rob at chreos.co.nz> wrote:
>
>> Hi Joylon
>>
>> Thanks for that. I will make it ANSI. Before I do I have a couple of
>> extra questions, hopefully that will be it....
>>
>> I assume conkey and consecret are my consumer public & private keys.
>> However I am unsure about tok (which I assume is a public token). In a
>> public app I would be assigned a token as part of the login process, where
>> do I get this from for a private login? Is it my apps name?
>>
>> Cheers
>> Rob
>>
>>
>> On 8/07/2014 12:56 p.m., Jolyon Smith wrote:
>>
>> You can ignore the ProcessTags() calls - essentially they just do
>> variable substitution within the strings involved.
>>
>> There is no login for private Xero apps, which are tied to a specific
>> Xero organisation. Â You need to setup your application on the Xero API end
>> for that specific organisation, to generate the required key and secrets
>> etc which you use to do the signing of your requests.
>>
>>
>> w.r.t Unicode, the code was written for deployment with a pre-Unicode
>> Delphi compiler. Â Some of the code was either written for or adapted from
>> libraries which were or had been ANSI-fied to ensure consistent behaviour
>> for use with Unicode versions of Delphi, but the remaining code otherwise
>> assumes ANSI strings. Â If you are using a Unicode Delphi version you
>> should change *all *declarations to ANSIString to maintain the intended
>> behaviour and be careful of implicit string conversions when making calls
>> into the routines.
>>
>>
>> To make it properly Unicode enabled may involve more significant change
>> than that.
>>
>>
>>
>> On 8 July 2014 11:43, Robert Martin <rob at chreos.co.nz> wrote:
>>
>>> Hi CameronÂ
>>>
>>> Sorry to bug you but.... I have the code installed and compiling
>>> however I am a bit unsure as to the process involved.
>>>
>>> For Public apps you go through a process of logging in and getting a
>>> token.Â
>>>
>>> For private applications do you just call the API you want and encode
>>> the call using 'OAuthSignRequest(fHTTP.Request, 'POST', lURL);' or do you
>>> need to do some sort of log in as well?
>>>
>>> In the OAuthSignRequest method there are calls to a function called
>>> ProcessTags( as below...
>>>
>>>   conkey   := ProcessTags(OAuthConsumerKey,   Locals,
>>> Partner);
>>> Â Â Â consecret := ProcessTags(OAuthConsumerSecret, Locals, Partner);
>>>    tok      := ProcessTags(OAuthTokenKey,      Locals,
>>> Partner);
>>>    toksecret := ProcessTags(OAuthTokenSecret,   Locals, Partner);
>>>
>>> I guess this function would be in the classFloCommon.pas (not included)
>>> that we 'can easily replace'. Unfortunately I have no idea what this
>>> function does or what its inputs are asside from it returning a string and
>>> that all the parameters are globals ! Any hints?
>>>
>>>
>>> Sorry to be a pain but this OAuth stuff is like pulling teeth.
>>>
>>>
>>> Cheers
>>> Rob
>>>
>>>
>>>
>>> On 8/07/2014 9:54 a.m., Cameron Hart wrote:
>>>
>>> this code has been shared with Xero a while ago on their forum.Â
>>> there’s a copy on ftp://ftp.flow.net.nz/RELEASE/Code/
>>>
>>> Â
>>>
>>> Â
>>>
>>> *Cameron Hart *
>>>
>>> *Flow Software Limited *
>>>
>>>
>>>
>>> [image: Flow]
>>>
>>> PO Box 302 768, North Harbour
>>>
>>> *P *
>>>
>>> +64 9 476 3569
>>>
>>> Auckland 0751, New Zealand
>>>
>>> *M *
>>>
>>> +64 21 222 3569
>>>
>>> www.flowsoftware.co.nz
>>>
>>> *E *
>>>
>>> cameron.hart at flowsoftware.co.nz
>>>
>>> Â
>>>
>>> This message is intended for the addressee named above. It may contain
>>> privileged or confidential information. If you are not the intended
>>> recipient of this message you must not use, copy, distribute or disclose it
>>> to anyone.
>>>
>>> Â P Please consider the environment before printing this email
>>>
>>> Â
>>>
>>> Â
>>>
>>> *From:* delphi-bounces at listserver.123.net.nz [
>>> mailto:delphi-bounces at listserver.123.net.nz
>>> <delphi-bounces at listserver.123.net.nz>] *On Behalf Of *Jolyon Smith
>>> *Sent:* Tuesday, 8 July 2014 9:14 a.m.
>>> *To:* NZ Borland Developers Group - Delphi List
>>> *Subject:* Re: [DUG] Xero private API (OAuth)
>>>
>>> Â
>>>
>>> This was a nut I had to crack at Flow. Â I was successful in this
>>> endeavour but I'm not at liberty to share the fruits of those labors. Â If
>>> you ask nicely however, Cameron might be willing to help.
>>>
>>> Â
>>>
>>> On 8 July 2014 08:52, Robert Martin <rob at chreos.co.nz> wrote:
>>> Hi
>>>
>>> I have been doing some work with the Xero API and have public OAuth
>>> working fine. Â However I actually need to use the private API which
>>> requires RSA-SHA1 Â which I believe just means RSA signing. Â Is that
>>> correct?
>>>
>>>
>>> If so does anyone have any code examples of RSA signing, I have found
>>> LockBox 3 which is supposed to do it but I just cant get it installed,
>>> although the source has a XE2 project group the code is full of errors !
>>>
>>> I am looking at using the openSLL dll calls to do it myself as an
>>> alternative but sample code is scarce. I will continue looking but if
>>> anyone has any pointers I would be grateful :)
>>>
>>> Cheers
>>> Rob
>>>
>>> _______________________________________________
>>> NZ Borland Developers Group - Delphi mailing list
>>> Post: delphi at listserver.123.net.nz
>>> Admin: http://delphi.org.nz/mailman/listinfo/delphi
>>> Unsubscribe: send an email to delphi-request at listserver.123.net.nz with
>>> Subject: unsubscribe
>>>
>>> Â
>>>
>>>
>>> _______________________________________________
>>> NZ Borland Developers Group - Delphi mailing list
>>> Post: delphi at listserver.123.net.nz
>>> Admin: http://delphi.org.nz/mailman/listinfo/delphi
>>> Unsubscribe: send an email to delphi-request at listserver.123.net.nz with Subject: unsubscribe
>>>
>>>
>>>
>>> No virus found in this message.
>>> Checked by AVG - www.avg.com
>>> Version: 2014.0.4716 / Virus Database: 3986/7813 - Release Date: 07/07/14
>>>
>>>
>>>
>>> _______________________________________________
>>> NZ Borland Developers Group - Delphi mailing list
>>> Post: delphi at listserver.123.net.nz
>>> Admin: http://delphi.org.nz/mailman/listinfo/delphi
>>> Unsubscribe: send an email to delphi-request at listserver.123.net.nz with
>>> Subject: unsubscribe
>>>
>>
>>
>>
>> _______________________________________________
>> NZ Borland Developers Group - Delphi mailing list
>> Post: delphi at listserver.123.net.nz
>> Admin: http://delphi.org.nz/mailman/listinfo/delphi
>> Unsubscribe: send an email to delphi-request at listserver.123.net.nz with Subject: unsubscribe
>>
>>
>>
>> No virus found in this message.
>> Checked by AVG - www.avg.com
>> Version: 2014.0.4716 / Virus Database: 3986/7813 - Release Date: 07/07/14
>>
>>
>>
>> _______________________________________________
>> NZ Borland Developers Group - Delphi mailing list
>> Post: delphi at listserver.123.net.nz
>> Admin: http://delphi.org.nz/mailman/listinfo/delphi
>> Unsubscribe: send an email to delphi-request at listserver.123.net.nz with
>> Subject: unsubscribe
>>
>
>
>
> _______________________________________________
> NZ Borland Developers Group - Delphi mailing list
> Post: delphi at listserver.123.net.nz
> Admin: http://delphi.org.nz/mailman/listinfo/delphi
> Unsubscribe: send an email to delphi-request at listserver.123.net.nz with Subject: unsubscribe
>
>
>
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 2014.0.4716 / Virus Database: 3986/7813 - Release Date: 07/07/14
>
>
>
> _______________________________________________
> NZ Borland Developers Group - Delphi mailing list
> Post: delphi at listserver.123.net.nz
> Admin: http://delphi.org.nz/mailman/listinfo/delphi
> Unsubscribe: send an email to delphi-request at listserver.123.net.nz with
> Subject: unsubscribe
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://listserver.123.net.nz/pipermail/delphi/attachments/20140708/4be8d34a/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 648 bytes
Desc: not available
Url : http://listserver.123.net.nz/pipermail/delphi/attachments/20140708/4be8d34a/attachment-0002.jpe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 4211 bytes
Desc: not available
Url : http://listserver.123.net.nz/pipermail/delphi/attachments/20140708/4be8d34a/attachment-0003.jpe
More information about the Delphi
mailing list