Goodreads Developers discussion
    How to get User ID?
    
  
   Hey Shawn -
      Hey Shawn -Don't know if this helps, I've been working in PHP. But I had the same problem (always getting an Invalid Auth) until I called the auth_user URI with a signed request:
$id = 1;
$uri = 'http://www.goodreads.com/api/auth_use...
$req = new OAuthRequester('$uri", 'GET', array());
$result = $req->doRequest($id);
Then examine the body of the result.
 But how do you sign the request? I've tried with my key (as key), my secret key (as secret, oauth_secret) and my oauth_token I got after authorizing (as token, oauth_token). In your example, what is array()? What arguments are you passing with the URI?
      But how do you sign the request? I've tried with my key (as key), my secret key (as secret, oauth_secret) and my oauth_token I got after authorizing (as token, oauth_token). In your example, what is array()? What arguments are you passing with the URI?
     Shawn wrote: "But how do you sign the request? I've tried with my key (as key), my secret key (as secret, oauth_secret) and my oauth_token I got after authorizing (as token, oauth_token). In your example, what..."
      Shawn wrote: "But how do you sign the request? I've tried with my key (as key), my secret key (as secret, oauth_secret) and my oauth_token I got after authorizing (as token, oauth_token). In your example, what..."No parameters are sent in the URI (so there's no ?key=something or anything like that) -- it's just the plain $uri as indicated above.Any time I try to retrieve that URL with, say, curl, I got the "Invalid OAuth" message. But with the OAuth interface, it works.
As I understand it, when you first set up the OAuth session, the tokens are stored (in the case of oauth-php, it's in a MySQL database). Then when you issue a request, it uses the previously stored information to sign it.
In my example, the third argument needs to be an array, and so all I'm doing there is sending an empty array. After looking at the oauth-php library I believe you could omit it and instead do:
$req = new OAuthRequester('$uri", 'GET');
 Hrm, thats where I'm confused. I'm not using an Oauth interface, I'm just creating the urls and sending them myself.
      Hrm, thats where I'm confused. I'm not using an Oauth interface, I'm just creating the urls and sending them myself. When you send just the URI its definitely not sending just the plain URI, but I don't know what its actually appending to it.
I tried getting the Oauth libraries in Objective C to work, but I couldn't get them to, unfortunately.
 You've probably seen them, but there are a couple Objective-C libraries at http://oauth.net/code.
      You've probably seen them, but there are a couple Objective-C libraries at http://oauth.net/code.It will probably be difficult to do the signing yourself. If you use a test server, it'll give you more information for debugging which parts of your request are incorrect. There's one here: http://term.ie/oauth/example/
Also, make sure to use HMAC-SHA1 to sign your requests.
Are you able to get a request token and access token, but you're just having trouble when using the access token to make a call to auth.user?
 Well, I've gotten everything working, so far. I've gotten the request token and the access token, its just when making the call to auth.user that I'm having trouble.
      Well, I've gotten everything working, so far. I've gotten the request token and the access token, its just when making the call to auth.user that I'm having trouble.Also, should it be auth.user or auth_user ?
And yes, I've looked at the Objective C libraries for Oauth. One is for mac and not iphone, and the other that is for iphone is unfortunately not working with the newest version of the SDK. I've posted a question about it, but I've not gotten a response back yet.
 You should send a GET to http://www.goodreads.com/api/auth_user
      You should send a GET to http://www.goodreads.com/api/auth_user Are you able to access any of the other OAuth protected methods?
 Hmm... I don't know that I've tried any of the other OAuth protected methods.
      Hmm... I don't know that I've tried any of the other OAuth protected methods.And that is the url I've been trying...
 I've just tried updating my user_status, but I'm afraid that I'm using the wrong url, as I'm not even getting an oauth error, but a page not found error.
      I've just tried updating my user_status, but I'm afraid that I'm using the wrong url, as I'm not even getting an oauth error, but a page not found error.I'm trying to use a the userstatus page using the variables they say are required, but no amount of messing with key, token, oauth_token, etc help... I always get page not found.
This seems to happen with any of the OAuth protected urls. Am I just using the wrong urls?
 For user status you should send a POST request to http://www.goodreads.com/user_status.xml with the required oauth methods sent in the header.
      For user status you should send a POST request to http://www.goodreads.com/user_status.xml with the required oauth methods sent in the header. I'll make a note to clarify the HTTP method that should be sent with each request.
 Woops, I've been trying to GET. So the problem with auth_user still remains, but I'll try a post request to user_status.xml to see if it works.
      Woops, I've been trying to GET. So the problem with auth_user still remains, but I'll try a post request to user_status.xml to see if it works.I'll have to see how to send the required oauth methods in the header, as I'm not horribly familiar with it. Thats probably why my auth_user is not succeeding as well, because I've been trying to submit the oauth info as part of the get, as opposed to doing it as part of the header.
 Okay... I've been trying to do this in perl where there are working perl modules that do the oauth for me so I can make sure I'm doing it right. I'm still trying to just call the auth_user method. I've gotten the token, authenticated and gotten the oauth_token back after authorizing, but I'm still getting Invalid OAuth Request whenever I try and do auth_user.
      Okay... I've been trying to do this in perl where there are working perl modules that do the oauth for me so I can make sure I'm doing it right. I'm still trying to just call the auth_user method. I've gotten the token, authenticated and gotten the oauth_token back after authorizing, but I'm still getting Invalid OAuth Request whenever I try and do auth_user.Here's what my dumper of the request turns out:
$VAR1 = bless( {
'_content' => '',
'_uri' => bless( do{\(my $o = 'http://www.goodreads.com/api/auth_user')}, 'URI::http' ),
'_headers' => bless( {
'authorization' => 'OAuth realm="http://www.goodreads.com", oauth_consumer_key="", oauth_nonce="92533586002c57d9b3ff", oauth_signature="pUYKHxuOiMWOs6ikKJuRdLwKJk8%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1252268870", oauth_token="XBxYgtxURZogEcPlzUJNxQ", oauth_version="1.0"'
}, 'HTTP::Headers' ),
'_method' => 'GET'
}, 'HTTP::Request' );
(I've obviously changed my consumer key, though I don't know if that part needs to be kept secret)...
What am I doing wrong here? I really just seem to be going around in circles over and over again.
p.s. if I go to http://www.goodreads.com/api/friends/... it pulls up the list of my friends with no problems. So its just oauth I'm still having trouble with.
 Anyone have any ideas what I'm doing wrong with OAuth? I'm going to try it with php this week and see if I can get it going.
      Anyone have any ideas what I'm doing wrong with OAuth? I'm going to try it with php this week and see if I can get it going.
     I had problems with this back in the day and I don't think it's a problem on your end. There were several of us who consistently had problems with the user_id call on multiple different platforms with no luck and no response from GR staff.
      I had problems with this back in the day and I don't think it's a problem on your end. There were several of us who consistently had problems with the user_id call on multiple different platforms with no luck and no response from GR staff.I'd recommend hard-coding things to your user id and keep developing, then come back to it. That's what I did before I abandoned my project (iPhone app - iffy for potential violations of Amazon's ToS).
Good luck.
 You can remove the optional realm param. Your lib may do this for you, but you may want to capitalize the Authorization header too. Other than that what you have looks correct and it looks like you're sending a GET to /api/auth_user on the host www.goodreads.com. Here's what my Authorization header I just generated looks like:
      You can remove the optional realm param. Your lib may do this for you, but you may want to capitalize the Authorization header too. Other than that what you have looks correct and it looks like you're sending a GET to /api/auth_user on the host www.goodreads.com. Here's what my Authorization header I just generated looks like:OAuth oauth_nonce="1dBVYI3kxkRk3OEV3Y62T4dKHhWKCVDrED8gTW8Mg",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1252533799",
oauth_consumer_key="",
oauth_token="2oXhv8bIfXQQuUb0sokG0w",
oauth_signature="eXu52TuYL%2BZ2YmUCQ3uX3PhsCrg%3D",
oauth_version="1.0"
BTW, the library I'm using is the OAuth Ruby gem, version 0.3.4. (http://github.com/mojodna/oauth/tree/...)
 Hrm, interesting. The "authorization" is automatically added by my perl library so maybe I need to try a different one. Since I can't get any of the Objective C classes to work, i'm mainly just trying to get something working so I have a definitively working example to go from. I'll try the Ruby gem.
      Hrm, interesting. The "authorization" is automatically added by my perl library so maybe I need to try a different one. Since I can't get any of the Objective C classes to work, i'm mainly just trying to get something working so I have a definitively working example to go from. I'll try the Ruby gem. thanks. :)
 Woohoo! I have it working from Ruby. Now I just have to translate that to Objective C.
      Woohoo! I have it working from Ruby. Now I just have to translate that to Objective C.So how did you look at your Authorization header in Ruby? (Sorry, I'm not normally a ruby person)
I used pp @access_token before I did @access_token.get "/api/auth_user" but it didn't have most of that information.
 Awesome! :) I was just looking at my localhost server logs to get the headers.
      Awesome! :) I was just looking at my localhost server logs to get the headers. There's a bit of code to dig through, but you can probably place some debugging statements if you edit the oauth gem code. You may want to start with the request method (around line 116) of the OAuth::Consumer class.
 Thanks, I'll take a look. I was trying to get it out of @access_token.consumer.http but it doesn't seem to be working for me... I'm using this tutorial and this got me working... just have to backtrack from there now.
      Thanks, I'll take a look. I was trying to get it out of @access_token.consumer.http but it doesn't seem to be working for me... I'm using this tutorial and this got me working... just have to backtrack from there now.http://stakeventures.com/articles/200...
 Can you send someone to a mobile page, or does it have to be to the nonmobile goodreads page for authorizing access?
      Can you send someone to a mobile page, or does it have to be to the nonmobile goodreads page for authorizing access?
     Okay. Still trying to get OAuth working in Objective C, so its not like its any rush, on my side at least.
      Okay. Still trying to get OAuth working in Objective C, so its not like its any rush, on my side at least.
     
      "Can you send someone to a mobile page, or does it have to be to the nonmobile goodreads page for authorizing access?"
Has there been any progress on this? This would be good for those of us who are trying to do OAuth on iPhone and Android browsers.
Also, would it be possible to add a callback when the user denies OAuth access?
Also, Shawn, if you're still having trouble, I was able to get the OAuth Objective-C library working and added a UIWebView in-app, so it doesn't require opening up Safari. I could send you the changes I made. (Even though your post is a year old. :P)
Thanks,
Mike
 +1 for a mobile version of the authorizing access page, although I think it's developers who'd really see the benefit -- users only need to grant access once, we have to test the thing a hundred times :-)
      +1 for a mobile version of the authorizing access page, although I think it's developers who'd really see the benefit -- users only need to grant access once, we have to test the thing a hundred times :-)Casper.
 Hi All,
      Hi All,With the latest release you can supply a mobile=1 query string
parameter and it will render the mobile version of the sign in page if the client is identified as a mobile device. If you are testing in a browser, I recommend you use the user agent switcher for firefox (https://addons.mozilla.org/en-US/fire...).
Example of the new query string param:
/oauth/authorize?mobile=1
Once authenticated, the subsequent oauth authorization page will also be rendered using the mobile layout.
The latest release also supports a callback when access is denied. If
you supply the oauth_callback parameter, we will redirect the user to
that URL upon approval or denial of the oauth rights. The
oauth_callback param value must not contain any query string params. We will
append 2 query string parameters to give your app context. They are
oauth_token and authorize. oauth_token is the token used to initiate
the request and authorize tells you if the user accepted or declined
access - 1 and 0, respectively. FYI, If the user declines oauth rights
to your app the token is invalidated so its useless on future
requests.
As always, feedback welcome!
Happy coding.
 Thanks for this -- however, on small screens like a G1 the Allow and Deny access buttons overlap.
      Thanks for this -- however, on small screens like a G1 the Allow and Deny access buttons overlap.Casper.
 Amazing. Thanks again for a quick reply and an even quicker implementation. Everything is working perfectly (minus one caveat).
      Amazing. Thanks again for a quick reply and an even quicker implementation. Everything is working perfectly (minus one caveat). I'm seeing the overlapping Allow/Deny buttons on the iPhone 4, same as Casper.
Beyond that, thanks for getting this functionality in. It really helps to tie in GoodReads integration into our app.
 Hi,
      Hi, I have been trying for a couple of hours but can't seem to get a user id from the api.
I am calling the url:
http://www.goodreads.com/api/auth_user
using GET
And I am sending the following header:
Authorization:
OAuth realm="http://www.goodreads.com",
oauth_nonce="63883882xxxxxxx",
oauth_timestamp="1302229210",
oauth_consumer_key="MY CONSUMER KEY",
oauth_signature_method="HMAC-SHA1",
oauth_version="1.0",
oauth_token="ytevUJ4MEyTrYv7rz16izA",
oauth_signature="i5q7F%2FRTnCrLRCeyOFDkyWVoelw%3D"
I have also tried sending it without
OAuth realm="http://www.goodreads.com"
any ideas on how to fix it would be much appreciated!
Cheers, Paul
 What're you getting in response to the auth_user GET? An "Invalid OAuth request"?
      What're you getting in response to the auth_user GET? An "Invalid OAuth request"?Are you sure the OAuth authentication is succeeding, you're pulling an access token out of the authentication response and everything?
Wondering a bit about your %2F and %3D in your signature as well...those look like / and = characters getting url encoded (to tell you the truth, not sure if the signature should be escaped or not).
Sounds like maybe you're rolling your own OAuth code. What language are you using? Not interested in using an existing lib out there? (or not able to?)
 Yeah I'm getting 'Invalid OAuth request'
      Yeah I'm getting 'Invalid OAuth request'Other requests seem to work fine.
It's in python I'm using https://github.com/simplegeo/python-o...
I will checkout the encoding of %2F and %3D
 So just to confirm:
      So just to confirm:- you're seeing successful OAuth authentications
- you can hit other calls using OAuth successfully
- you can hit another OAuth API call with an access token (succeeds), then try the very same access token (and same other OAuth params) and the auth_user API fails?
Which specific API calls using OAuth are successful for you?
I'm not seeing very many cases that result in 'Invalid OAuth request' other than an invalid signature...but if you've got other requests working with that same token, I find it a little hard to believe your signature is to blame (it would have to always generate an error-prone signature for a single API call regardless of payload). So I'm intrigued.
 This thread has been dead for some time, but I have some problems with obtaining the user id, so I'll try here.
      This thread has been dead for some time, but I have some problems with obtaining the user id, so I'll try here.I know my oauth is working for I can request both updates/friends.xml(GET) and review/list.xml(POST), however when I try to request api/auth_user the Response.Content is " " and HttpStatus is NotAcceptable.
Looking at the documentation - which could really be a lot better - it does not look like you have to add any extra parameters in the call to api/auth_user. Is this correct?
Help would be most appreciated.
 Hi Karsten, you're correct that you should not need to provide any other parameters when doing a GET on api/auth_user
      Hi Karsten, you're correct that you should not need to provide any other parameters when doing a GET on api/auth_userHow are you signing your request? If you're using a third party OAuth library, which one is it?
This seems strange because if you are able to do a signed request to updates/friends.xml and get a result, I would expect that auth_user should work fine for you also.
 I'm using RestSharp for Windows Phone. Works fine otherwise, it is the auth_user call I'm having issues wth.
      I'm using RestSharp for Windows Phone. Works fine otherwise, it is the auth_user call I'm having issues wth.
     If you've already done updates/friends, i think that requires auth_user to have already been done (i think), perhaps that was provided by your framework???
      If you've already done updates/friends, i think that requires auth_user to have already been done (i think), perhaps that was provided by your framework???
     I have hardcoded my userId in the call to updates/friends as I cannot get the auth_user call to work.
      I have hardcoded my userId in the call to updates/friends as I cannot get the auth_user call to work.
     Karsten, when you authenticate with RestSharp, can you parse the response string? Something like this?
      Karsten, when you authenticate with RestSharp, can you parse the response string? Something like this?
qs = HttpUtility.ParseQueryString(response.Content);
var oauth_token = qs["oauth_token"];
var oauth_token_secret = qs["oauth_token_secret"];
var user_id = qs["user_id"];
I'm wondering if you can get the user_id that way.
 Hi Louise, This is the code:
      Hi Louise, This is the code:var request = new RestRequest("oauth/access_token", Method.POST);
client.Authenticator = OAuth1Authenticator.ForAccessToken(key, secret,
App.Req_oauth_token,App.Req_oauth_token_secret);
I got the App.Req_oauth_token and the App.Req_oauth_token_secret from the login page.
I then call client.ExecuteAcync(request, response =>
{...}
In this response I get a (new) oauth_token and oauth_token_secret.
request = new RestRequest("api/auth_user", Method.GET);
client.Authenticator = OAuth1Authenticator.ForProtectedResource(
key, secret, oauth_token, oauth_token_secret);
client.ExecuteAsync(request, restRes => {...}
It is this second call that fails.
 With the new oauth_token and secret you get from the oauth/access_token request, you can do this (get friend updates) successfully, right?
      With the new oauth_token and secret you get from the oauth/access_token request, you can do this (get friend updates) successfully, right?
request = new RestRequest("updates/friends", Method.GET);
client.Authenticator = OAuth1Authenticator.ForProtectedResource(
key, secret, oauth_token, oauth_token_secret);
client.ExecuteAsync(request, restRes => {...}
What happens if you do the api/auth_user call using your old token and secret (the one you pass into oauth/access_token ?
 Yes, I can do the call to updates/friends without any problems.
      Yes, I can do the call to updates/friends without any problems.If I call api/auth_user with the old token and secret I get Invalid OAuth Request.
 Hi Karsten,
      Hi Karsten,It appears that RestSharp supports cookies, saying "any cookies set or unset in responses will be used in subsequent requests." Also, our server (incorrectly) allows some requests, including 'updates/friends' to authenticate by cookie (which we will fix). So, I suspect that your call to 'update/friends' after 'oauth/access_token' only works because of cookies. If so, that would mask any issues you might be having with properly signing requests with some calls. Can you try to determine whether cookies are affecting your calls?
Cheers,
~Robert
 Hi Robert,
      Hi Robert,First, no cookies are send in any of the requests. I can see what you send a _session_id cookie back.
Some output from Fiddler when trying to to /api/auth_user.
I first call /oauth/request_token I log in and get the oauth_token back. I actually get it back 4 times where the first one is different from the last 3. It may have something to do with the redirect to the login page.
I then POST /oauth/access_token and get the oauth_token and oauth_token_secret back.
I then call /api/auth_user with the following Authorization Header:
OAuth oauth_consumer_key="",oauth_nonce="m45hj3o9ftmarmwi",oauth_signature="WSt9eZZQ0YS3VW9hXOjJd4DhhQQ%3D",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1332877120",oauth_token="STyGQmvHvjMONRr3Cdxg",oauth_version="1.0"
The reponse to this is 406: Not Acceptable.
The call to /updates/friends.xml is the same except for the value of oauth_nonce (and timestamp of course).
I am somewhat at a loss here so any help would be great.
 I'm having a similar issue with Node.js.
      I'm having a similar issue with Node.js.I've set up OAuth which works in other calls I've done to the API (such as adding a book to a shelf). However, when I try to get the user id of the OAuthed user, I get the following response:
statusCode: 401, data: 'Invalid OAuth Request'
Here is the code for the request:
oa.get('https://www.goodreads.com/api/auth_user', this.options.accessToken,
this.options.accessSecret, callback);



 
I've finally gotten my Oauth working correctly... from a browser I can do lots of wonderful things, but what I'm really not sure how to do is just to get the user id of the user that signed in via Oauth. Without that, its hard to do anything else for that user.
I've seen that there is a auth_user call, but there's not much data on how to use it, and I'm not sure how to use it myself. Can anyone please shed some light on how to use this call? No matter what I do, I get Invalid Oauth.