Goodreads Developers discussion

Using my application's saved access token to request the auth_user API, I sometimes get failure ("401 Unauthorized" \ "Invalid OAuth Request"; the 401 response is also missing the required WWW-Authenticate header). It's pretty random: I can run the same code with the same token/secret again and it will succeed.

Would it be possible to provide better diagnosis of these failures? I realize that you don't want to say too much when a security-related request fails, but it would be nice to at least know whether it was a bad signature, expired token, bad nonce, or bad key. Ideally the OAuth Problem Reporting Extension (http://oauth.pbwiki.com/ProblemReporting) could be used to provide detailed - but not security-violating - responses.

(Of those four possibilities listed, it's clear the token hasn't expired since it works subsequently, and that the consumer key isn't bad, for the same reason. I'm not sure what would make a nonce "bad"; if I knew the signature was invalid, then at least it would be a place I could start investigating; perhaps the perl OAuth::Lite module has some bad calculations.)

A request can succeed or fail independently of the timestamp or nonce, i.e. there's nothing the client does differently for failed/successful requests so it appears to be server-side. Can someone there please look into it?

I can run the OAuth attempt in a loop until it succeeds, but that really shouldn't be necessary.

Last night I started receiving the same issue. I was accessing the auth_user API fine, modified some unrelated code, then re-ran and began getting the unauthorized errors. Did you ever figure out what was wrong?

Thanks in advance.

No, I never did. With all the regressions I ran to see if it was my end, I'm pretty confident now that it's just server flakiness.

FWIW I'm using perl and OAuth::Lite, so if you're not, at least we've eliminated that as a shared cause.

This unreliability means I'm probably going to end up putting the Goodreads-accessing component of my web app into a daemon which can continue to retry the request and not time out the client.

I'm using OAConsumer in obj-c. Even after clearing my oauth tokens and reauthorizing, still no luck. I guess I'll hold off for now and focus on other components.

Your tokens are fine - you just need to keep retrying until their server lets you in. I can use the same stored access token and eventually succeed (or sometimes it works right away... it's random).

Yikes, We've totally been ignoring this group :(

You guys still having issues?

MICHAEL wrote: "Yikes, We've totally been ignoring this group :(

You guys still having issues?"

I wasn't for a while, and then last night (around 2am Pacific) I got several OAuth failures until I was able to add a new book. Sometimes it works right away, sometimes it fails many times before working.