Goodreads Developers discussion

How to get User ID?

Comments Showing 1-50 of 53 (53 new)    post a comment »
« previous 1

message 1: by Shawn (new)

Shawn Looker (slooker) | 20 comments Hello all,

I've finally gotten my Oauth working correctly... from a browser I can do lots of wonderful things, but what I'm really not sure how to do is just to get the user id of the user that signed in via Oauth. Without that, its hard to do anything else for that user.

I've seen that there is a auth_user call, but there's not much data on how to use it, and I'm not sure how to use it myself. Can anyone please shed some light on how to use this call? No matter what I do, I get Invalid Oauth.

message 2: by Shawn (new)

Shawn Looker (slooker) | 20 comments Anyone have any suggestions? I'm stuck until I can figure this out. ;)

message 3: by Brian (last edited Sep 01, 2009 08:02PM) (new)

Brian (bgstech) | 2 comments Hey Shawn -

Don't know if this helps, I've been working in PHP. But I had the same problem (always getting an Invalid Auth) until I called the auth_user URI with a signed request:

$id = 1;
$uri = '
$req = new OAuthRequester('$uri", 'GET', array());
$result = $req->doRequest($id);

Then examine the body of the result.

message 4: by Shawn (new)

Shawn Looker (slooker) | 20 comments But how do you sign the request? I've tried with my key (as key), my secret key (as secret, oauth_secret) and my oauth_token I got after authorizing (as token, oauth_token). In your example, what is array()? What arguments are you passing with the URI?

message 5: by Brian (last edited Sep 02, 2009 04:43PM) (new)

Brian (bgstech) | 2 comments Shawn wrote: "But how do you sign the request? I've tried with my key (as key), my secret key (as secret, oauth_secret) and my oauth_token I got after authorizing (as token, oauth_token). In your example, what..."

No parameters are sent in the URI (so there's no ?key=something or anything like that) -- it's just the plain $uri as indicated above.Any time I try to retrieve that URL with, say, curl, I got the "Invalid OAuth" message. But with the OAuth interface, it works.

As I understand it, when you first set up the OAuth session, the tokens are stored (in the case of oauth-php, it's in a MySQL database). Then when you issue a request, it uses the previously stored information to sign it.

In my example, the third argument needs to be an array, and so all I'm doing there is sending an empty array. After looking at the oauth-php library I believe you could omit it and instead do:

$req = new OAuthRequester('$uri", 'GET');

message 6: by Shawn (new)

Shawn Looker (slooker) | 20 comments Hrm, thats where I'm confused. I'm not using an Oauth interface, I'm just creating the urls and sending them myself.

When you send just the URI its definitely not sending just the plain URI, but I don't know what its actually appending to it.

I tried getting the Oauth libraries in Objective C to work, but I couldn't get them to, unfortunately.

message 7: by Ben (new)

Ben Weiner (lostinpatterns) | 24 comments You've probably seen them, but there are a couple Objective-C libraries at

It will probably be difficult to do the signing yourself. If you use a test server, it'll give you more information for debugging which parts of your request are incorrect. There's one here:

Also, make sure to use HMAC-SHA1 to sign your requests.

Are you able to get a request token and access token, but you're just having trouble when using the access token to make a call to auth.user?

message 8: by Shawn (new)

Shawn Looker (slooker) | 20 comments Well, I've gotten everything working, so far. I've gotten the request token and the access token, its just when making the call to auth.user that I'm having trouble.

Also, should it be auth.user or auth_user ?

And yes, I've looked at the Objective C libraries for Oauth. One is for mac and not iphone, and the other that is for iphone is unfortunately not working with the newest version of the SDK. I've posted a question about it, but I've not gotten a response back yet.

message 9: by Ben (new)

Ben Weiner (lostinpatterns) | 24 comments You should send a GET to

Are you able to access any of the other OAuth protected methods?

message 10: by Shawn (last edited Sep 03, 2009 12:53PM) (new)

Shawn Looker (slooker) | 20 comments Hmm... I don't know that I've tried any of the other OAuth protected methods.

And that is the url I've been trying...

message 11: by Shawn (new)

Shawn Looker (slooker) | 20 comments I've just tried updating my user_status, but I'm afraid that I'm using the wrong url, as I'm not even getting an oauth error, but a page not found error.

I'm trying to use a the userstatus page using the variables they say are required, but no amount of messing with key, token, oauth_token, etc help... I always get page not found.

This seems to happen with any of the OAuth protected urls. Am I just using the wrong urls?

message 12: by Ben (new)

Ben Weiner (lostinpatterns) | 24 comments For user status you should send a POST request to with the required oauth methods sent in the header.

I'll make a note to clarify the HTTP method that should be sent with each request.

message 13: by Shawn (last edited Sep 03, 2009 01:45PM) (new)

Shawn Looker (slooker) | 20 comments Woops, I've been trying to GET. So the problem with auth_user still remains, but I'll try a post request to user_status.xml to see if it works.

I'll have to see how to send the required oauth methods in the header, as I'm not horribly familiar with it. Thats probably why my auth_user is not succeeding as well, because I've been trying to submit the oauth info as part of the get, as opposed to doing it as part of the header.

message 14: by Shawn (last edited Sep 06, 2009 01:34PM) (new)

Shawn Looker (slooker) | 20 comments Okay... I've been trying to do this in perl where there are working perl modules that do the oauth for me so I can make sure I'm doing it right. I'm still trying to just call the auth_user method. I've gotten the token, authenticated and gotten the oauth_token back after authorizing, but I'm still getting Invalid OAuth Request whenever I try and do auth_user.

Here's what my dumper of the request turns out:

$VAR1 = bless( {
'_content' => '',
'_uri' => bless( do{\(my $o = '')}, 'URI::http' ),
'_headers' => bless( {
'authorization' => 'OAuth realm="", oauth_consumer_key="", oauth_nonce="92533586002c57d9b3ff", oauth_signature="pUYKHxuOiMWOs6ikKJuRdLwKJk8%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1252268870", oauth_token="XBxYgtxURZogEcPlzUJNxQ", oauth_version="1.0"'
}, 'HTTP::Headers' ),
'_method' => 'GET'
}, 'HTTP::Request' );

(I've obviously changed my consumer key, though I don't know if that part needs to be kept secret)...

What am I doing wrong here? I really just seem to be going around in circles over and over again.

p.s. if I go to it pulls up the list of my friends with no problems. So its just oauth I'm still having trouble with.

message 15: by Shawn (new)

Shawn Looker (slooker) | 20 comments Anyone have any ideas what I'm doing wrong with OAuth? I'm going to try it with php this week and see if I can get it going.

message 16: by Shawn (new)

Shawn Looker (slooker) | 20 comments Any ideas what I'm missing here?

message 17: by Travis (new)

Travis Fischer | 5 comments I had problems with this back in the day and I don't think it's a problem on your end. There were several of us who consistently had problems with the user_id call on multiple different platforms with no luck and no response from GR staff.

I'd recommend hard-coding things to your user id and keep developing, then come back to it. That's what I did before I abandoned my project (iPhone app - iffy for potential violations of Amazon's ToS).

Good luck.

message 18: by Ben (new)

Ben Weiner (lostinpatterns) | 24 comments You can remove the optional realm param. Your lib may do this for you, but you may want to capitalize the Authorization header too. Other than that what you have looks correct and it looks like you're sending a GET to /api/auth_user on the host Here's what my Authorization header I just generated looks like:

OAuth oauth_nonce="1dBVYI3kxkRk3OEV3Y62T4dKHhWKCVDrED8gTW8Mg",

BTW, the library I'm using is the OAuth Ruby gem, version 0.3.4. (

message 19: by Shawn (new)

Shawn Looker (slooker) | 20 comments Hrm, interesting. The "authorization" is automatically added by my perl library so maybe I need to try a different one. Since I can't get any of the Objective C classes to work, i'm mainly just trying to get something working so I have a definitively working example to go from. I'll try the Ruby gem.

thanks. :)

message 20: by Shawn (new)

Shawn Looker (slooker) | 20 comments Woohoo! I have it working from Ruby. Now I just have to translate that to Objective C.

So how did you look at your Authorization header in Ruby? (Sorry, I'm not normally a ruby person)

I used pp @access_token before I did @access_token.get "/api/auth_user" but it didn't have most of that information.

message 21: by Ben (new)

Ben Weiner (lostinpatterns) | 24 comments Awesome! :) I was just looking at my localhost server logs to get the headers.

There's a bit of code to dig through, but you can probably place some debugging statements if you edit the oauth gem code. You may want to start with the request method (around line 116) of the OAuth::Consumer class.

message 22: by Shawn (new)

Shawn Looker (slooker) | 20 comments Thanks, I'll take a look. I was trying to get it out of @access_token.consumer.http but it doesn't seem to be working for me... I'm using this tutorial and this got me working... just have to backtrack from there now.

message 23: by Shawn (new)

Shawn Looker (slooker) | 20 comments Can you send someone to a mobile page, or does it have to be to the nonmobile goodreads page for authorizing access?

message 24: by Michael (new)

Michael Economy (michaeleconomy) I've got a bug to do that, but it may take us a little while.

message 25: by Shawn (new)

Shawn Looker (slooker) | 20 comments Okay. Still trying to get OAuth working in Objective C, so its not like its any rush, on my side at least.

message 26: by Mike (last edited Jul 09, 2010 09:13AM) (new)

Mike Daly (youdonotexist) | 5 comments
"Can you send someone to a mobile page, or does it have to be to the nonmobile goodreads page for authorizing access?"

Has there been any progress on this? This would be good for those of us who are trying to do OAuth on iPhone and Android browsers.

Also, would it be possible to add a callback when the user denies OAuth access?

Also, Shawn, if you're still having trouble, I was able to get the OAuth Objective-C library working and added a UIWebView in-app, so it doesn't require opening up Safari. I could send you the changes I made. (Even though your post is a year old. :P)


message 27: by Casper (new)

Casper Gasper (caspergasper) | 32 comments +1 for a mobile version of the authorizing access page, although I think it's developers who'd really see the benefit -- users only need to grant access once, we have to test the thing a hundred times :-)


message 28: by Michael (new)

Michael Economy (michaeleconomy) One of our developers is working on a new version right now! Stay tuned.

message 29: by Kale (new)

Kale Mcnaney | 4 comments Hi All,

With the latest release you can supply a mobile=1 query string
parameter and it will render the mobile version of the sign in page if the client is identified as a mobile device. If you are testing in a browser, I recommend you use the user agent switcher for firefox (

Example of the new query string param:


Once authenticated, the subsequent oauth authorization page will also be rendered using the mobile layout.

The latest release also supports a callback when access is denied. If
you supply the oauth_callback parameter, we will redirect the user to
that URL upon approval or denial of the oauth rights. The
oauth_callback param value must not contain any query string params. We will
append 2 query string parameters to give your app context. They are
oauth_token and authorize. oauth_token is the token used to initiate
the request and authorize tells you if the user accepted or declined
access - 1 and 0, respectively. FYI, If the user declines oauth rights
to your app the token is invalidated so its useless on future

As always, feedback welcome!

Happy coding.

message 30: by Casper (new)

Casper Gasper (caspergasper) | 32 comments Thanks for this -- however, on small screens like a G1 the Allow and Deny access buttons overlap.


message 31: by Mike (new)

Mike Daly (youdonotexist) | 5 comments Amazing. Thanks again for a quick reply and an even quicker implementation. Everything is working perfectly (minus one caveat).

I'm seeing the overlapping Allow/Deny buttons on the iPhone 4, same as Casper.

Beyond that, thanks for getting this functionality in. It really helps to tie in GoodReads integration into our app.

message 32: by Kale (new)

Kale Mcnaney | 4 comments Good catch, a fix for the overlapping buttons just went out. Let us know if you spot anything else!

message 33: by Paul (new)

Paul (p4ul) | 4 comments Hi,
I have been trying for a couple of hours but can't seem to get a user id from the api.

I am calling the url:

using GET

And I am sending the following header:

OAuth realm="",
oauth_consumer_key="MY CONSUMER KEY",

I have also tried sending it without
OAuth realm=""

any ideas on how to fix it would be much appreciated!

Cheers, Paul

message 34: by Brian (new)

Brian (bper) | 24 comments What're you getting in response to the auth_user GET? An "Invalid OAuth request"?

Are you sure the OAuth authentication is succeeding, you're pulling an access token out of the authentication response and everything?

Wondering a bit about your %2F and %3D in your signature as well...those look like / and = characters getting url encoded (to tell you the truth, not sure if the signature should be escaped or not).

Sounds like maybe you're rolling your own OAuth code. What language are you using? Not interested in using an existing lib out there? (or not able to?)

message 35: by Paul (new)

Paul (p4ul) | 4 comments Yeah I'm getting 'Invalid OAuth request'

Other requests seem to work fine.

It's in python I'm using

I will checkout the encoding of %2F and %3D

message 36: by Brian (new)

Brian (bper) | 24 comments So just to confirm:
- you're seeing successful OAuth authentications
- you can hit other calls using OAuth successfully
- you can hit another OAuth API call with an access token (succeeds), then try the very same access token (and same other OAuth params) and the auth_user API fails?

Which specific API calls using OAuth are successful for you?

I'm not seeing very many cases that result in 'Invalid OAuth request' other than an invalid signature...but if you've got other requests working with that same token, I find it a little hard to believe your signature is to blame (it would have to always generate an error-prone signature for a single API call regardless of payload). So I'm intrigued.

message 37: by Karsten (new)

Karsten (strobaek) | 37 comments This thread has been dead for some time, but I have some problems with obtaining the user id, so I'll try here.

I know my oauth is working for I can request both updates/friends.xml(GET) and review/list.xml(POST), however when I try to request api/auth_user the Response.Content is " " and HttpStatus is NotAcceptable.

Looking at the documentation - which could really be a lot better - it does not look like you have to add any extra parameters in the call to api/auth_user. Is this correct?

Help would be most appreciated.

message 38: by Louise (new)

Louise | 36 comments Hi Karsten, you're correct that you should not need to provide any other parameters when doing a GET on api/auth_user

How are you signing your request? If you're using a third party OAuth library, which one is it?

This seems strange because if you are able to do a signed request to updates/friends.xml and get a result, I would expect that auth_user should work fine for you also.

message 39: by Karsten (new)

Karsten (strobaek) | 37 comments I'm using RestSharp for Windows Phone. Works fine otherwise, it is the auth_user call I'm having issues wth.

message 40: by Michael (new)

Michael Economy (michaeleconomy) If you've already done updates/friends, i think that requires auth_user to have already been done (i think), perhaps that was provided by your framework???

message 41: by Karsten (new)

Karsten (strobaek) | 37 comments I have hardcoded my userId in the call to updates/friends as I cannot get the auth_user call to work.

message 42: by Louise (new)

Louise | 36 comments Karsten, when you authenticate with RestSharp, can you parse the response string? Something like this?

qs = HttpUtility.ParseQueryString(response.Content);
var oauth_token = qs["oauth_token"];
var oauth_token_secret = qs["oauth_token_secret"];
var user_id = qs["user_id"];

I'm wondering if you can get the user_id that way.

message 43: by Karsten (new)

Karsten (strobaek) | 37 comments Hi Louise, This is the code:

var request = new RestRequest("oauth/access_token", Method.POST);
client.Authenticator = OAuth1Authenticator.ForAccessToken(key, secret,

I got the App.Req_oauth_token and the App.Req_oauth_token_secret from the login page.

I then call client.ExecuteAcync(request, response =>

In this response I get a (new) oauth_token and oauth_token_secret.

request = new RestRequest("api/auth_user", Method.GET);
client.Authenticator = OAuth1Authenticator.ForProtectedResource(
key, secret, oauth_token, oauth_token_secret);
client.ExecuteAsync(request, restRes => {...}

It is this second call that fails.

message 44: by Louise (new)

Louise | 36 comments With the new oauth_token and secret you get from the oauth/access_token request, you can do this (get friend updates) successfully, right?

request = new RestRequest("updates/friends", Method.GET);
client.Authenticator = OAuth1Authenticator.ForProtectedResource(
key, secret, oauth_token, oauth_token_secret);
client.ExecuteAsync(request, restRes => {...}

What happens if you do the api/auth_user call using your old token and secret (the one you pass into oauth/access_token ?

message 45: by Karsten (new)

Karsten (strobaek) | 37 comments Yes, I can do the call to updates/friends without any problems.

If I call api/auth_user with the old token and secret I get Invalid OAuth Request.

message 46: by Robert (new)

Robert (lathanh) | 14 comments Hi Karsten,

It appears that RestSharp supports cookies, saying "any cookies set or unset in responses will be used in subsequent requests." Also, our server (incorrectly) allows some requests, including 'updates/friends' to authenticate by cookie (which we will fix). So, I suspect that your call to 'update/friends' after 'oauth/access_token' only works because of cookies. If so, that would mask any issues you might be having with properly signing requests with some calls. Can you try to determine whether cookies are affecting your calls?


message 47: by Karsten (new)

Karsten (strobaek) | 37 comments Hi Robert,

First, no cookies are send in any of the requests. I can see what you send a _session_id cookie back.

Some output from Fiddler when trying to to /api/auth_user.

I first call /oauth/request_token I log in and get the oauth_token back. I actually get it back 4 times where the first one is different from the last 3. It may have something to do with the redirect to the login page.

I then POST /oauth/access_token and get the oauth_token and oauth_token_secret back.

I then call /api/auth_user with the following Authorization Header:
OAuth oauth_consumer_key="",oauth_nonce="m45hj3o9ftmarmwi",oauth_signature="WSt9eZZQ0YS3VW9hXOjJd4DhhQQ%3D",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1332877120",oauth_token="STyGQmvHvjMONRr3Cdxg",oauth_version="1.0"

The reponse to this is 406: Not Acceptable.

The call to /updates/friends.xml is the same except for the value of oauth_nonce (and timestamp of course).

I am somewhat at a loss here so any help would be great.

message 48: by Karsten (new)

Karsten (strobaek) | 37 comments I switched from RestSharp to ReactiveOAuth and I'm now able to get the userId.

message 49: by Louise (new)

Louise | 36 comments Great news!

message 50: by Austen (new)

Austen | 3 comments I'm having a similar issue with Node.js.

I've set up OAuth which works in other calls I've done to the API (such as adding a book to a shelf). However, when I try to get the user id of the OAuthed user, I get the following response:

statusCode: 401, data: 'Invalid OAuth Request'

Here is the code for the request:

oa.get('', this.options.accessToken,
this.options.accessSecret, callback);

« previous 1
back to top