javascript - vector api, 401 http error code, Signature mismatch. Authorization signature or client credential is wrong

Question

I'm trying to use the here maps vector-tiles api. I've received my credentials from developer.here.com. I created an app for HERE SDK for Android or iOS (Lite Edition). I then created credentials, and am using here.access.key.id for my key and here.access.key.secret for my secret.

I'm using the oauth-sign npm package (which as ~14.5MM weekly downloads at the time of writing this question, so I think it should be working properly) with the following code snippet:

import { hmacsign256 } from 'oauth-sign'

export const API_URL = 'https://account.api.here.com/oauth2/token'
export const nonceLength = 2**5

export interface TokenResponse {
  AccessToken: string
  TokenType: string
  ExpiresIn: number
}

export const generateNonce = (length: number): string => {
  let s = ''
  do {
    s += Math.random().toString(36).substr(2)
  } while (s.length < length)
  return s.substr(0, length)
}

export const fetchNewTokenFromAPI = async ({ key, secret }: { key: string, secret: string }): Promise<TokenResponse> => {
  const url = API_URL
  const method = 'POST'
  const body = 'grant_type=client_credentials'
  const auth = {
    oauth_consumer_key: key,
    oauth_nonce: generateNonce(nonceLength),
    oauth_signature_method: 'HMAC-SHA256',
    oauth_timestamp: String(Math.round(new Date().getTime() / 1000)),
    oauth_version: '1.0',
  }

  const sig = encodeURIComponent(hmacsign256(method, API_URL, auth, key, secret))
  const headers = {
    'Content-Type': 'application/x-www-form-urlencoded',
    'Authorization': `OAuth oauth_consumer_key="${auth['oauth_consumer_key']}",oauth_nonce="${auth['oauth_nonce']}",oauth_signature="${sig}",oauth_signature_method="HMAC-SHA256",oauth_timestamp="${auth['oauth_timestamp']}",oauth_version="1.0"`
  }

  const options: RequestInit = {
    method,
    headers,
    body,
    mode: 'cors',
  }

  const response = await fetch(url, options)
  if (response.ok)
    throw new Error(`expected 200 status, received ${response.status}`)

  return await response.json()
}

When I run that function, I recieve the following from the api:

{
  "error": "invalid_client"
  "errorCode": 401300
  "errorId": "ERROR-32e365d0-11ce-4fff-86d7-5ca51970e017"
  "error_description": "errorCode: '401300'. Signature mismatch. Authorization signature or client credential is wrong."
  "httpStatus": 401
  "message": "Signature mismatch. Authorization signature or client credential is wrong."
}

Answer 1

curl -X POST https://account.api.here.com/oauth2/token -H 'Accept: /' -H 'Accept-Encoding: gzip, deflate' -H 'Authorization: OAuth' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 'Content-Length: 238' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Host: account.api.here.com' -H 'Postman-Token: xxxxxxxxx’ -H 'User-Agent: PostmanRuntime/7.20.1' -H 'cache-control: no-cache' -d 'grant_type=client_credentials&oauth_consumer_key=xxxx&oauth_signature_method=HMAC-SHA256&oauth_timestamp=1576653105&oauth_nonce=xxx&oauth_version=1.0&oauth_signature=xxx’