Goodreads Developers discussion

Hi, I am trying to post a create topic request but it doesn't seem to be working for me. Can you let me know what is the correct way to send this request? Are the parameters correct here? (I included the key as well, not posted here)

https://www.goodreads.com/topic.xml?t...'

Please let me know.

Hi, can anyone tell me what should be the correct url format so I can post a topic via goodreads api.

Hi Ankit, how are you submitting the request? You need to use OAuth for that api, and from the URL you posted it looks like you aren't.

I am using OAuth while sending the request. The problem is I am unable to frame the correct url as the documentation is not so clear. I have posted the url but it doesn't seem correct to me.Can you give me an example so I can have a look.

over the years I have seen many errors caused by the square brackets in the params. So I would watch that. For instance, when we developed the official Android app I remembered we had to use a special patched version of a Java OAuth library.

About the docs: please let me know what's not clear for this particular api.

As for an example URL, I'd say it's not really about the URL rather than about request preparation. On our iOS app for instance we submit the request like this:

POST https://www.goodreads.com/topic.xml

for POST requests such as this one, the parameters are not appended in the URL but are added to the body of the request. This is what we send at a minimum:

id=THE_GROUP_ID
type="group"
topic[title]="My topic title"
comment[body]="This is the body of the topic"

Hope this helps.

Hi Ettore,

I am facing another problem with authentication.

I have been working on setting up goodreads third party authentication, but I am unable to recieve access token from it. After I sign in, the request is redirected to oauth/access_token endpoint but I am always getting an 'Invalid OAuth Request' in response. This is the request information -

GET /oauth/access_token HTTP/1.1
Authorization: OAuth oauth_token="value",oauth_consumer_key="value",oauth_nonce="value",oauth_signature_method="value",oauth_signature="value",oauth_version="1.0",oauth_timestamp="value"
User-Agent: DotNetOpenAuth.Core/4.1.4.12333
Host: www.goodreads.com

More detailed message:

{"The remote server returned an error: (401) Unauthorized."}

**Note**: I have replaced actual values of auth parameters to "value" for posting here.

Is there any parameter I am missing while framing this request? Something else I need to check? Please let me know.

Hey Ankit,

Are you still having issues authenticating? I don't see anything wrong with what you provided...I'll ask another developer to take a look

What language/library are you using to authenticate?

Hi Nichole, I fixed the authentication issue. I am using C#/WebPages OAuth + DotNetOpenAuth to implement this.

nice to hear! what was the problem, Ankit?

The issue was that I was using AuthenticationOnlyCookieOAuthTokenManager instead of InMemoryOAuthTokenManager (responsible for exchanging oauth token with access token). Changed it, and it worked fine.

One more question -

While sending a post request, say for example -

http://www.goodreads.com/group/join?f...

What parameters are to be added to request body? format, id? What about access token ?

Hi Ettore,

Can you please help me on this? I am facing issue with POST requests.

Ankit,

I believe you need to put all of the arguments in the OAuth body in order for the call to work.

POST to https://www.goodreads.com/group/join

and put the id and format parameter with the other OAuth args (like your key).

Hi jeff, thanks for replying. I am posting to the exact same URL.

This is my request body -

id=390&format=xml&key=

This is my request header -

Authorization: OAuth
oauth_consumer_key=,
oauth_nonce=,
oauth_signature=,
oauth_signature_method="HMAC-SHA1",
oauth_timestamp=,
oauth_token=,
oauth_version="1.0"

The secret values are hidden above. But that is the format I am sending the values. Still I keep getting unauthorized. Please tell me what is wrong in this request.

Are any of the Authorization Header values also to be put in request body?

Can you mention all the values as to what parameter goes into header and body etc?

What happens if you take the "key" parameter out of the request body? (and only use the OAuth token to authenticate). Does that change anything?

Still getting unauthorized. This is what I sent.

URL:

https://www.goodreads.com/group/join

Request body:

id=390&format=xml

Auth Header:

Authorization: OAuth

oauth_consumer_key="",
oauth_nonce="",
oauth_signature="",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="",
oauth_token="",
oauth_version="1.0"

Note: oauth_token is the same as access_token I got upon verfication and oauth_consumer_key is my application key.

There should be only ONE way to get this correct, right? I am not sure why is it that a proper solution is not being provided here? It has been a month now!

If you want, I can send you my api key and access token, so you can also try and tell me the solution. Do let me know.

Hey Ankit, we searched the logs for your group/join requests and we couldn't see any problems that jumped out to us. I recommend the following:

- verify that your OAuth token is actually valid. It does look valid from the logs, but please verify that yourself: e.g. can you successfully execute another oauth call?

- make sure ALL the actual params you're sending (in the group.join case it should just be "format" and "id") are part of the request HTTP body (NOT in the URL). Typically the parameters are sent as "key=value" string pairs (e.g.: format=xml) and these pairs need to be URLencoded before being added to the body. Also make sure the "Content-Length" HTTP header to the actual post data length. This stuff is usually taken care of by any OAuth library worth its salt. But it's worth checking.

- make sure the "Content-Type" HTTP header is set to "application/x-www-form-urlencoded". We did see your request being handled as HTML in the logs, which shouldn't happen, so i suspect this is missing?

- likely repeating the obvious, but you need to sign the request with consumer secret and token secret. But note, do NOT send these secrets!

- make sure the timestamp is actual (it can't be too further away from the current time), and that the nonce is not reused for multiple requests.

- make sure you sign the request in full: in particular you need to sign the whole body, the method, the url, nonce, timestamp, signature method, token, oauth version. Again, all this stuff needs to be URL-encoded and the generated string is what needs to be signed.

E.g. this is the string that gets signed in our app for a /group/join request:

POST&https%3A%2F%2Fwww.goodreads.com%2Fgroup%2Fjoin&
format%3Dxml%26id%3DTHE_GROUP_ID%26oauth_consumer_key
%3DYOUR_API_KEY%26oauth_nonce%3DTHE_NONCE%26oauth_signature_method
%3DHMAC-SHA1%26oauth_timestamp%3DTHE_TIMESTAMP%26oauth_token
%3DTHE_ACCESS_TOKEN%26oauth_version%3D1.0

(note there should be no line brakes in the above string)

and the resulting signature is something that looks like this:

XmURa55sunRBV8p3aM7X6QcqC/I=

- verify the "Authorization" HTTP header contains the Oauth info above. E.g. it should contain something like this:

OAuth realm="", oauth_consumer_key="YOUR_API_KEY", oauth_token="THE_ACCESS_TOKEN", oauth_signature_method="HMAC-SHA1", oauth_signature="URL_ENCODED_OAUTH_SIGNATURE", oauth_timestamp="THE_SAME_TIMESTAMP_AS_ABOVE", oauth_nonce="THE_SAME_NONCE_AS_ABOVE", oauth_version="1.0"

Again, any oauth library should do this but it's worth checking.

Also, like Nichole was saying, there's no need to send the "key" param if you are using oauth, since that's already sent as the oauth_consumer_key.

I hope this helps!

- I have tried to comply with your comment and here is the string that is getting signed now -

POST&https%3A%2F%2Fwww.goodreads.com%2Fgroup%2Fjoin&
format%3Dxml%26id%3D1865%26oauth_consumer_key%3DMY_API_KEY%26oauth_nonce%3D8202270%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1423304664%26oauth_token%3DMY_OAUTH_TOKEN%26oauth_version%3D1.0

- This is getting signed by consumer secret and token secret.

- I am also encoding final oauth_signature generated.

- I am sending request to this URL: https://www.goodreads.com/group/join

- I am adding both parameters in request body as key-value pair - format=xml&id=1865. ContentLength is added too.

- I am setting content type to "application/x-www-form-urlencoded".

- Finally, this is my OAuth header -

Authorization: OAuth
realm="", oauth_consumer_key="MY_API_KEY", oauth_nonce="8202270", oauth_signature="vpkAtHnDybB3flb5%2B7hnPbt1HPI%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1423304664",
oauth_token="MY_OAUTH_TOKEN",
oauth_version="1.0"


This has finally worked for me.

I tried another URL and that is also fine. Though this is working for me now, I would recommend you guys to add proper documentation of API and how to handle OAuth for POST requests. It would really help the developers. Thanks!