I found this validator tool on Mashery (http://support.mashery.com/ docs/tips_and_tricks/oAuth). Had to run it in a debugger to get the actual value that the signature was being generated from, but now I get matching signatures when compared to my consumer app.
However, I continue to get 401 unauthorized errors from twitter. And this is for the first step of asking for a request token. I input all my values into the form fields on this "tutorial" page (http:// hueniverse.com/2008/10/beginners-guide-to-oauth-part-iv-signing- requests/), and my signatures match up. Unfortunately, this tutorial skips the very first step of acquiring the request token. I assume I have to sign my request per normal using my public/secret consumer keys, but I just can't nail it down. One thing that is confusing me is that in the specs (http://oauth.net/ core/1.0a/#rfc.section.A.2) the query string example they show does *not* include oauth_token. This makes sense, because this step doesn't need this value. But, every specification I've read for signing your request requires this element be present in the base signing string. What exactly am I suppose to sign for grabbing a request token? I've tried removing oauth_token from the signature and Authorization header, but still get the same result (401 error) Also - I'm still a little confused as to what I should show for the realm value of the Authorization header. Is it just the domain of the provider, or the full request URL (minus any querystring)? regards, Matt On Jan 27, 2:51 pm, Matt <[email protected]> wrote: > I am trying to create an OAuth consumer. Instead of testing it > against my own (likely incorrectly implemented) oauth service > provider, I decided to test it against an established OAuth provider. > In this case, twitter. > > My HTTP POST using the Authorization header is getting a 401 > unauthorized response when attempting to get a request token > fromhttp://twitter.com/oauth/request_token. So, instead of doing a POST > w/ an Authorization header, I thought I'd just breakpoint my test and > grab a generated query string instead, and just drop it into my > browsers url. > > My first question is: will this work (if I sign correctly)? Or is the > 1.0a spec specific enough that GETs for request tokens are disallowed? > > My second question is: are there any web-apps out there that I can > provide all the necessary information for generating a request to see > if I am signing it correctly? In other words, I provide my public/ > secret consumer tokens, signature method, oauth_version, timstamp, > etc., and it shows me what the resulting signature *should* be, as > well as the string the signature is generated from? > > I noticed Google's OAuth playground, but it doesn't quite fit the bill > since it doesn't let you customize all the input parameters. > > regards, > Matt -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
