I hate to continue replying to my own post, but I thought if I provided the actual consumer tokens etc. might help:
RequestTokenURL = "http://twitter.com/oauth/request_token"; OAuthConsumerKey = "cY1cHq6P4VmrLVePpYWEw" ConsumerSecretKey = "dZbuhYz8B5HzyHMVIS5M5djSmM3xVHEVrLinUKfzEY" OAuthSignatureMethod = "HMAC-SHA1" OAuthVersion = "1.0" HTTPMethod = "POST" OAuthTimeStamp = 1264624658 OAuthNonce = "12345" The string that I am signing looks like this (no breaks): POST&http%3A%2F%2Ftwitter.com%2Foauth %2Frequest_token&oauth_consumer_key%3DcY1cHq6P4VmrLVePpYWEw %26oauth_nonce%3D12345%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1264624658%26oauth_version%3D1.0 The resulting signature is: R7WbI+2n9cEsZl9GzKNMJPWvo1w= The final authorization header content looks like this: OAuth realm="http://twitter.com/oauth/request_token";, oauth_consumer_key="cY1cHq6P4VmrLVePpYWEw", oauth_nonce="12345", oauth_signature="R7WbI%2B2n9cEsZl9GzKNMJPWvo1w%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1264624658", oauth_version="1.0" I am doing a POST using the authorization headers. But I have also taken the generated results and converted into a query string, and did a direct GET request from my browser (same result). I also tried doing a POST with only "OAuth" and realm data in the Auth header, and doing the rest in the query string (from inside FireBug in-browser). I'm at my wits end on this one - obviously the only error that we can expect is "unauthorized", but there are *so* many things that can go wrong in the signing/request process in OAuth that I might as well throw a dart while blindfolded and expect to hit a bulls-eye. regards, Matt -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
