Comment 2 for bug 977787

I am currently working on revising the developer site documentation for the authorisation process. Presumably you were following the documentation here:

https://one.ubuntu.com/developer/account_admin/issue_tokens/cloud

Which fails to mention that the email address is no longer required in that call. The new documentation on this process can be found here:

https://one.ubuntu.com/developer/account_admin/auth/otherplatforms

As for the problems you were having with OAuth signatures, I believe that is probably a bug on our side in checking the signatures. I had filed bug 1013126 about this, which I will see about making public.

Removing the email address from the sso-finished-so-get-tokens call means you won't hit the bug on this specific API call, but you might hit it in other places (e.g. the REST files API when manipulating files with certain characters in their name). Switching from OAuth HMAC-SHA1 signatures to PLAINTEXT should avoid the problem in all cases. The API calls are made over a secure connection, so it should offer adequate security.