cblown call me daft but are you not better simply storing the hash output you generated using PHP and setting the variable to that, rather than trying to generate this in FreeMarker?
If the challenge and secret key are unlikely to change then it shouldn't cause any problems. This would also be a bit more secure as the challenge string and secret key are not stored then on the community only the hashed output.
There is cleary something different in the way the hash is genered between PHP and FreeMarker, for example I notice that you wrap the entire code in base64_encode for PHP:
echo base64_encode(hash_hmac('sha256', "the quick brown fox jumps over the lazy dog", base64_decode("12345678901234567890") , true));but don't do the same in FreeMarker, you're only decoding the key:
<#assign signature = utils.digest.hmac("HmacSHA256", utils.base64.decode("12345678901234567890”), "the quick brown fox jumps over the lazy dog") />There could be something in that which we're missing.
The access token expires so we have to hash another challenge each time to get a new token. The Freemarker routine returns base 64 as per the docs so no need to encode it like we do for the php. The php and freemarker agree on the hash, it’s only when we try to pass a byte array to the freemarker (the output from the base 64 decode should be straight binary) The fact I can’t decode and re-encode in Base 64 using Freemarker is somehow related..
