Signature method in Python librairy

[nvalaise]

Hello all!

First time I use the python library to do a PoC with https://github.com/jesseward/discogs-oauth-example/blob/master/discogs_client_example.py

So, I started with the following issue :

discogs_client.exceptions.AuthorizationError: 401: Could not get request token. Response: b"Invalid signature. Expected signature base string ..."

Therfore, I change a bit of code in client.py to keep the consumer_secret in the Client class, so that I was able to call quickly it in the get_authorize_url function :

params['oauth_signature_method'] = 'PLAINTEXT'
params['oauth_signature'] = self.consumer_secret + '&'

Indeed, the default signature method was HMAC-SHA1 and regarding the documentation it isn't what is advised (https://www.discogs.com/developers#page:authentication,header:authentication-oauth-flow)

Have you ever have this issue ? Am I right with this workaround ? Or is there another way to fix it properly ?

Best,
Nico

[AnssiAhola]

Hey @nvalaise

Unfortunately I couldn't reproduce that error on my end,
did you use that discogs_client_example.py as is or did you modify it in any way?

You are right, the default signature method should be PLAINTEXT in the client
but the oauth client (oauthlib) this package uses, uses HMAC-SHA1 by default,
if you'd like to submit a pull request correcting this, you are more than welcome. 😄

Regarding the oauth_signature and keeping the consumer_secret in the Client class,
I don't think it is necessary if the signature method is set as PLAINTEXT
as oauthlib will sign it automatically based on the signature method. See here

@JOJ0 and @alifhughes , any thoughts?

[JOJ0]

Hi @nvalaise,
I recently published / reworked some docs about OAuth. I also worked through it step by step and tested it. So maybe the described workflow here works with your use-case as well: https://python3-discogs-client.readthedocs.io/en/latest/authentication.html#oauth-authentication

I am sorry to say that I didn't find the time to really think through what you are trying todo.
HTH anyway :-)