Join the discussion
O Auth timestamp issue

Jun 08, 2012

Tom Decroix says:

Hello,

During implementation of the Locations API we encountered an issue where the smartphone doesn't get any results because of an issue with the timestamp verification in the O Auth.

On the net we found the following explication:

"The timestamp value MUST be a positive integer and MUST be equal or greater than the timestamp used in previous requests."

Our implementation is based on a same ConsumerKey for all users. Our question: how can we use your webservice with several devices using the same ConsumerKey?

Many thanks for a quick reply

Kind regards

Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
  1. Jun 08, 2012

    Josh Kessler says:

    How are you generating your timestamp? If you generate based on Universal Time, ...

    How are you generating your timestamp? If you generate based on Universal Time, it should still be greater than previous requests, correct? The only way it could be earlier in time is if time zones were involved.

    Or, you could create a server based query that passes the data through to the end user, this way there would really only be one component (so time zones would be irrelevant) interacting with the location API, and multiple clients hitting that one component.

  2. Jun 08, 2012

    Dan Martin says:

    We do not require that timestamps be greater than all prior requests. We only r...

    We do not require that timestamps be greater than all prior requests. We only require that the timestamp be within a certain buffer of "now". I'd rather not publicize how big our buffer is, but I can assure you it is plenty to allow for discrepancies in machines, network latency, etc.

    If you are hitting timestamp errors, your time isn't within this buffer. Remember that this timestamp is in GMT, so it isn't affected by timezones.

    The only other requirement is that your nonce must be unique within a timestamp. If you send multiple requests with the same timestamp, each must have a different nonce.

  3. Jun 11, 2012

    Tom Decroix says:

    Hello, We have integrated the location API directly on a mobile app (iphone and...

    Hello,

    We have integrated the location API directly on a mobile app (iphone and android) without any bridge on our server.

    The problem is that a lot of people have their phone incorrectly configured and thus get an INVALID_TIMESTAMP error. Can we remove the timestamp check for a particular ConsumerKey (ours).

    I'm happy to hear that you don't ensure the timestamp to be greater than prior requests because if it was the case, one person with his phone configured in the future can break the API for all the other users.

    Thank you very much for your help.

    PS: we generate the timestamp on android using System.currentTimeMillis()/1000 and on iphone: NSDate timeIntervalSince1970

    1. Jun 11, 2012

      Dan Martin says:

      Sorry, we would not allow an exception. The timestamp is a key part of the secu...

      Sorry, we would not allow an exception. The timestamp is a key part of the security built into OAuth, and an exception is not something we could allow.

      A mobile phones' date and time is usually set by the network. We've had some very widely used mobile apps integrate with our API, and I've never had any other integrator express issue with the OAuth timestamp. Further, OAuth is commonly used in APIs that are consumed by mobile apps (Twitter, Facebook, Google, and many others), and I've never seen concern for the OAuth timestamp.

      Are you really seeing this problem in the wild? Or are you assuming you'll have this problem?


© 1994-2014. MasterCard. All rights reserved.