Re: [twitter-dev] Getting Failed to validate oauth signature and token after adding an explicit oauth_callback in the request token phase
Hi Nathan, On Sun, Jul 31, 2011 at 5:43 AM, Nathan Rajlich nat...@tootallnate.net wrote: Hello all. I am using nodejs, and specifically ciranj's node-oauth[0] module, attempting to override the default callback URL with an explicit one as per the 1.0A specification changes. I'm not entirely sure if it's a bug with the module or just me being dumb, but after I changing the code from: request_token_url // is set to: 'https://www.twitter.com/oauth/ request_token' as the URL posting to (which works) to: request_token_url + '?oauth_callback=' + encode(callback) where 'callback' could be something like 'http://www.google.com', I get a 401 response code with a Failed to validate oauth signature and token error message. Any hints in the right direction would be much appreciated. Thanks in advance! Just had a check through my code, and it should work just fine. I've placed an example working solution inline to this response :) var http = require('http') , OAuth= require('./index').OAuth , url = require('url') , consumerKey= YOUR_KEY , consumerSecret= YOUR_SECRET , callbackURL= YOUR_CALLBACK; var oAuth= new OAuth(http://twitter.com/oauth/request_token;, http://twitter.com/oauth/access_token;, consumerKey, consumerSecret, 1.0a, callbackURL, HMAC-SHA1); http.createServer(function (req, res) { var urlp= url.parse(req.url, true); if( urlp.query urlp.query.oauth_verifier ) { res.writeHead(200, {'Content-Type': 'text/plain'}); res.end('Verification callback: ' + urlp.query.oauth_verifier +'\n'); } else { oAuth.getOAuthRequestToken(function(error, oauth_token, oauth_token_secret, oauth_authorize_url, additionalParameters ) { console.log( error ); res.writeHead(301, { 'Location': http://twitter.com/oauth/authenticate?oauth_token=; + oauth_token }); res.end(); }); } }).listen(80, 127.0.0.1); Hope this helps :) - Cj. -- Have you visited the Developer Discussions feature on https://dev.twitter.com/discussions yet? Twitter developer links: Documentation and resources: https://dev.twitter.com/docs API updates via Twitter: https://twitter.com/twitterapi Unsubscribe or change your group membership settings: http://groups.google.com/group/twitter-development-talk/subscribe
Re: [twitter-dev] 401 error what am i doing wrong here (user search)
Just out of interest does your searchbterm contain commas? If so when using twitter you'll need to encode this parameter first before passing the URL to the client (it seems :( ) -cj On Thursday, December 23, 2010, Cujo deko...@gmail.com wrote: For the last call i rewrote my code to set the Authorization RequestHeader to: OAuth realm=http%3A%2F%2Fapi.twitter.com, oauth_consumer_key=[mykey], oauth_signature_method=HMAC-SHA1, oauth_token=[accesstoken], oauth_version=1.0, oauth_timestamp=1293101327, oauth_nonce=b37Zm8, oauth_signature=[signature] With result: ?xml version=1.0 encoding=UTF-8? errors error code=32Could not authenticate you/error /errors And with responseHeaders : Via: 1.0 SMTTMG Connection: Keep-Alive Proxy-Support: Session-Based-Authentication Connection: Proxy-Support Transfer-Encoding: chunked Expires: Thu, 23 Dec 2010 08:30:06 GMT Date: Thu, 23 Dec 2010 08:00:06 GMT Content-Type: application/xml; charset=utf-8 Server: hi Status: 401 Unauthorized WWW-Authenticate: Basic realm=Twitter API X-Runtime: 0.01106 Cache-Control: no-cache, max-age=1800 Set-Cookie: _twitter_sess=VERYLONGSIGNATUREacbd; domain=.twitter.com; path=/ Does that mean the the Authorization did not come through, since the WWW-Authenticate says Basic? On 22 dec, 14:50, Cujo deko...@gmail.com wrote: I followed the whole oAuth chain to aquire an accesstoken for my application: Call 1: sent:https://api.twitter.com/oauth/request_token?oauth_consumer_key=[mykey]oauth_signature_method=HMAC-SHA1oauth_timestamp=1293014232oauth_nonce=OgIwk4oauth_signature=[signature] result: oauth_token=[token]oauth_token_secret=[tokensecret]oauth_callback_confirmed=true Call 2: (after receiving a pincode) sent:https://api.twitter.com/oauth/access_token?oauth_consumer_key=[mykey]oauth_token=[token]oauth_signature_method=HMAC-SHA1oauth_verifier=[pincode]oauth_timestamp=1293014245oauth_nonce=UZN6pWoauth_signature=[signature] result: oauth_token=[accesstoken]oauth_token_secret=[accesstokensecret]user_id=42198282screen_name=kooijtje Call 3: (i should be able to do a search since i have an access token) sent:http://api.twitter.com/1/users/search.xml?q=[searchterm]oauth_consumer_key=[mykey]oauth_token=[accesstoken]oauth_signature_method=HMAC-SHA1oauth_timestamp=1293014246oauth_nonce=nV8zJ7oauth_signature=[signature] sent:http://api.twitter.com/1/users/search.xml?oauth_consumer_key=[mykey]oauth_nonce=wwQs4poauth_signature_method=HMAC-SHA1oauth_timestamp=1293024508oauth_token=[accesstoken]oauth_version=1.0q=[Searchterm]oauth_signature=[signature] Both are giving the following 401 error with this response: xml version=1.0 encoding=UTF-8? hash request/1/users/search.xml? oauth_consumer_key=[mykey]amp;oauth_nonce=dD7PvNamp;oauth_signature_method=HMAC- SHA1amp;oauth_timestamp=[timestamp]amp;oauth_token=[accesstoken]amp;oauth_version=1.0amp;q=[Searchterm]amp;oauth_signature=[signature]/ request errorIncorrect signature/error /hash Currently through the lib i am using all parameters (including the q) are used to calculate the oauth_signature, is this wrong? Should only the oauth_* parameters be used? I tried this but still incorrect signature error. The algorithm for calculating seems to be signature correct since i am able to succesfull get an accesstoken? Any idea's? -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
Re: [twitter-dev] Re: Twitter streaming API using oauth with tracks that have spaces?
On Fri, Nov 12, 2010 at 11:31 PM, dan dfran...@gmail.com wrote: By ui-encoding you mean percent-encoding? I did mean uri-encoding ;) iphone's suck :) -cj. -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
Re: [twitter-dev] Twitter streaming API using oauth with tracks that have spaces?
Try ui-encoding them first, my understanding of the Twitter OAuth signature validation is that it is non-standard (although there appears to be debate about this) I suspect if you encode them first before signing the url it will start to work -cj. On Tue, Nov 9, 2010 at 6:11 PM, dan dfran...@gmail.com wrote: I've been having trouble connecting to the streaming API using oauth if my tracks have spaces. I get 401s (unauthorized). In all cases, the same code works if the tracks don't have spaces. In Java: tried twitter4j (http://twitter4j.org/jira/browse/TFJ-420) and tweetstream4j (http://stackoverflow.com/questions/4129622/ connecting-to-twitter-streaming-api-with-tracks-with-spaces-using- apache-httpclie) In Python: tried tweepy (https://github.com/joshthecoder/tweepy/ issues#issue/64) The Twitter example using curl (http://dev.twitter.com/pages/ streaming_api_methods#track) works with tracks that have spaces, but it's basic auth. I am wondering if some oauth encoding versus POST param encoding is not working out. Can someone point me to a code example in Java or Python that is known to work connecting to the Twitter streaming API using oauth that has spaces in its tracks? Thanks in advance. -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
Re: [twitter-dev] Streaming API, Basic Auth Ok, OAuth Unauthorized?
Hey Bradley, This is another instance of the the ongoing (and as yet un-answered sadly) question I have in the mailing list about my client (which iirc you're using) See : http://github.com/ciaranj/node-oauth/issues#issue/7 and http://groups.google.co.uk/group/twitter-development-talk/browse_thread/thread/fe6e50d60d1e95fa/f06e93e761183bf1?hl=enlnk=gstq=javajunky#f06e93e761183bf1 oh and also ( :( ) http://groups.google.co.uk/group/twitter-development-talk/browse_thread/thread/4aedc185cee34d81?hl=en# The bad news is twitter don't seem to want to tell me if I'm wrong, or they're wrong (I don't care, just want to know what to fix ! :( ) .. the good news is the work around is to url encode your parameters before you pass them off to my client ( you won't need to do this with any other OAuth provider I've yet come across fwiw, but if they come back and say yes, thats deliberate, yes its different, I'll hardcode it into the client so you don't need to worry about it *sigh* (or even better, the client is wrong, we're right and we do it the same as everyone else..which would be an ideal outcome) ) Take Care - cj. On Mon, Oct 25, 2010 at 10:20 PM, bradley.meck bradley.m...@gmail.com wrote: I have a simple oauth client that I use to post status updates currently, however, when I added the ability to track statuses with the Stream api using OAuth I noticed I could not connect, with Unauthorized 401 being the reply to anything I sent it. I looked into the documentation and it seems to be a simple request using the same OAuth style as the normal api. After searching threads I noticed the rate limiting and so I have left my app alone for extended periods of time and still I get 401s. I tested against basic auth, and the code worked! M, that was odd. So unless I am mistaken I am doing something wrong, but I am posting to the right url and mirroring my basic auth test to no avail. The code is at: http://github.com/bmeck/Simple-Bot/blob/master/modules/twitter.js the track() function is the boilerplate that is in question oa.post is a simple rest wrapper for oauth POST. Any help or directions as to where to go from here is much appreciated. Cheers, Bradley -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
Re: [twitter-dev] Re: Streaming API, Basic Auth Ok, OAuth Unauthorized?
On Mon, Oct 25, 2010 at 10:53 PM, bradley.meck bradley.m...@gmail.com wrote: So in my case i just encodeURIComponent somewhere? I tried on the POST params and it did not work, nor did the 4 permutations of api-key/ secret and access-token-key/secret. Odd, Escaping track=+tracking.join(,)+count=0 should work ? -cj. -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
Re: [twitter-dev] Re: Streaming API, Basic Auth Ok, OAuth Unauthorized?
On Mon, Oct 25, 2010 at 11:28 PM, themattharris thematthar...@twitter.com wrote: Hey everyone, So OAuth encoding can get confusing and lead to situations like this so i'll go through a very verbose walkthrough to hopefully explain how it all works. First, thank you for taking the time to post this, I agree OAuth can be / is confusing ;) The key section of the specification explaining this part is 3.4.1.3.2: http://tools.ietf.org/html/rfc5849#section-3.4.1.3.2 Assuming my parameters are POST parameters and are as follows: key | value track | twitter follow | 1528912,9512582 oauth_consumer_key | Oauth_Consumer_Key oauth_nonce | nonce123 oauth_signature_method | HMAC-SHA1 oauth_timestamp | 1288042714 oauth_token | My_tokeN oauth_version | 1.0 Now following 3.4.1.3.2 1. Parameter names and values are encoded according to Section 3.6. Section 3.6 of the spec says: The values are then escaped using the [RFC3986] percent-encoding (%XX) mechanism as follows: * Characters in the unreserved character set as defined by [RFC3986], Section 2.3 (ALPHA, DIGIT, -, ., _, ~) MUST NOT be encoded. * All other characters MUST be encoded. * The two hexadecimal characters used to represent encoded characters MUST be uppercase. Knowing this our parameters therefore become: key | value track | twitter follow | 11528912%2C9512582 oauth_consumer_key | OauthConsumerKey oauth_nonce | nonce123 oauth_signature_method | HMAC-SHA1 oauth_timestamp | 1288042714 oauth_token | My_tokeN oauth_version | 1.0 2. The parameters are sorted by name, using ascending byte value ordering. If two or more parameters share the same name, they are sorted by their value. key | value follow | 11528912%2C9512582 oauth_consumer_key | OauthConsumerKey oauth_nonce | nonce123 oauth_signature_method | HMAC-SHA1 oauth_timestamp | 1288042714 oauth_token | My_tokeN oauth_version | 1.0 track | twitter 3. The name of each parameter is concatenated to its corresponding value using an = character (ASCII code 61) as a separator, even if the value is empty. key=value follow=11528912%2C9512582 oauth_consumer_key=OauthConsumerKey oauth_nonce=nonce123 oauth_signature_method=HMAC-SHA1 oauth_timestamp=1288042714 oauth_token=My_tokeN oauth_version=1.0 track=twitter 4. The sorted name/value pairs are concatenated together into a single string by using an character (ASCII code 38) as separator. Indeed, Steps 1,2, 3 + 4 as described above are the ones I know from the Spec, however on this page: http://dev.twitter.com/pages/auth %3d and %26 are used during the concatenation process, and ... follow=11528912%2C9512582oauth_consumer_key=OauthConsumerKeyoauth_nonce=nonce123oauth_signature_method=HMAC- SHA1oauth_timestamp=1288042714oauth_token=My_tokeNoauth_version=1.0track=twitter This concatenated string of parameters is the result of the normalization part of 3.4.1.1.5. We still have to complete stage 5 which says to encode that string. ... This step apparently does not occur ? (again according to that web-page)... it appears that it is considered equivalent to escape the '' and the '=' during the loop, rather than escape the whole string at once (which will re-escape the individually escaped keys and values as per [I believe] the spec) Doing this gives: follow%3D11528912%252C9512582%26oauth_consumer_key%3DOauthConsumerKey %26oauth_nonce%3Dnonce123%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1288042714%26oauth_token%3DMy_tokeN %26oauth_version%3D1.0%26track%3Dtwitter In this example, assuming we are POSTing to http://stream.twitter.com/1/statuses/filter.json with the parameters already processed - our basestring becomes: POSThttp%3A%2F%2Fstream.twitter.com%2F1%2Fstatuses %2Ffilter.jsonfollow%3D11528912%252C9512582%26oauth_consumer_key %3DOauthConsumerKey%26oauth_nonce%3Dnonce123%26oauth_signature_method %3DHMAC-SHA1%26oauth_timestamp%3D1288042714%26oauth_token%3DMy_tokeN %26oauth_version%3D1.0%26track%3Dtwitter I hope that helps, @themattharris It will do, if what you say is happening is what *really* happens on the server (and that web page is wrong / or I mis-understand it) .. then I'll have to find some other reason why escaping the url parameters fixes things ;) Cheery-bye, and again, thank you for taking the time to talk this through :) -cj -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
[twitter-dev] Repeat request for clarification on signing specifics of Twitter OAuth (and possible deviations from the RFC/Specs)
Hi Folks, Apologies for re-posting this question, but I asked (in what I though was a fairly detailed and accurate manner :( ) a week or so ago this question: http://groups.google.co.uk/group/twitter-development-talk/msg/4d858cc2d48b63aa?hl=en Is there any chance someone is here that understands my question? I've open bugs on my client library that I would rather like to close or fix (depending on the outcome of this conversation!) Many thanks -Cj. -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
Re: [twitter-dev] Trying to use Streaming API with OAuth but times out - Suggestions?
On Tue, Oct 12, 2010 at 3:16 AM, Bartek bart.ci...@gmail.com wrote: Hi there, I'm new to the Twitter API so forgive me if I'm missing something blatant. I just wrote a small node.js script that connects to Twitter and fetches the specified timeline. The library I am using for OAuth is: http://github.com/ciaranj/node-oauth If I specify a timeline outside of the Streaming API I get a full result - Works great! However, if I specify one in the Streaming API, e.g.: oa.getProtectedResource(http://stream.twitter.com/1/statuses/ sample.json, GET, oauth_access_token, oauth_access_token_secret, function(error, data , response) { ... } I simply get a Timed out error. If I access that same page directly it works fine. Tried a few times and checked the Status of Twitter, but no luck. Any advice as to what I am doing wrong? Hiyah, this page: http://github.com/ciaranj/node-oauth/wiki/Interacting-with-Twitter should explain your issue. You're using the non-streaming method/approach to access a streaming resource :) Cheers. -cj -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
Re: [twitter-dev] Re: Trying to use Streaming API with OAuth but times out - Suggestions?
np ;) -cj. On Tue, Oct 12, 2010 at 12:22 PM, Bartek bart.ci...@gmail.com wrote: Thanks a bunch! On Oct 12, 5:39 am, Ciaran ciar...@gmail.com wrote: On Tue, Oct 12, 2010 at 3:16 AM, Bartek bart.ci...@gmail.com wrote: Hi there, I'm new to the Twitter API so forgive me if I'm missing something blatant. I just wrote a small node.js script that connects to Twitter and fetches the specified timeline. The library I am using for OAuth is: http://github.com/ciaranj/node-oauth If I specify a timeline outside of the Streaming API I get a full result - Works great! However, if I specify one in the Streaming API, e.g.: oa.getProtectedResource(http://stream.twitter.com/1/statuses/ sample.json, GET, oauth_access_token, oauth_access_token_secret, function(error, data , response) { ... } I simply get a Timed out error. If I access that same page directly it works fine. Tried a few times and checked the Status of Twitter, but no luck. Any advice as to what I am doing wrong? Hiyah, this page:http://github.com/ciaranj/node-oauth/wiki/Interacting-with-Twitter should explain your issue. You're using the non-streaming method/approach to access a streaming resource :) Cheers. -cj -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
Re: [twitter-dev] Re: can't follow more than one user
On Thu, Oct 7, 2010 at 10:04 PM, Malte malte@gmail.com wrote: Hi, because I'm using the same library and was not finding the same problems when connecting to site streams I looked for what I was doing differently: Turns out, if one URL encodes the komma in the follow list the OAuth connection works Bye Malte Hi, Yes, another user reported this as a workaround too, I'd still like some clarification from t'twitter as to whether the client is wrong (my current plan will be to 'if-twitter' around the signing code ;) ) Thanks for the heads up though! -cj On 6 Oct, 23:38, JavaJunky ciar...@gmail.com wrote: Hi, The library in question is mine and not unreasonably Ruben has submitted a pull-request with his fix over on github. Unfortunately this fix seems to break existing (working) OAuth consumer relationships :( I'm actually at a bit of a loss how to progress it, I've read:http://dev.twitter.com/pages/auth(Signing Requests) a few times. I've cross-referenced againsthttp://oauth.net/core/1.0a/Sec. 9.1.1 and even double checked againsthttp://tools.ietf.org/html/rfc5849#section-3.4.1 Sec. 3.4.1.3.2 The last two resources appear to agree with each other, that the '=' and the '' that join the parameter name-value pairs should appear in the 'plain' but then get encoded as a whole [which would re-encode any existing '%', hence a crucial difference in the twitter listed strategy] The important bit seems to be in the OAuth 1.0 RFC Section 3.4.1.1. String Construction, point 5: 5. The request parameters as normalized in Section 3.4.1.3.2, after being encoded (Section 3.6). Crucially this suggests to me that that the encoding is applied to the entire normalized string, which the documentation athttp://dev.twitter.com/pages/auth seems to suggest isn't happening on the Twitter side :( It is (more than likely) entirely possible that I'm doing something incredibly stupid and obvious but is there anyone on the twitter side that can confirm that this deviation from the 'spec' is deliberate (or even better for consistency, a minor issue?) Many Thanks (and sorry if I'm wasting your time!) - Cj. On Oct 6, 6:31 pm, Ruben Fonseca fons...@gmail.com wrote: Hi John! On Oct 6, 5:54 pm, John Kalucki j...@twitter.com wrote: It might be an OAuth encoding error with the ','. Which OAuth library are you using? That was exactly the problem! I was using node-oauth (from herehttp://github.com/ciaranj/node-oauth/) and realized the signature was being generated wrong. Patched the library and it now works great!! Thank you!!! -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
Re: [twitter-dev] Re: can't follow more than one user
Ah you *are* that other user! Doh :) - cj On Thursday, October 7, 2010, Ciaran ciar...@gmail.com wrote: On Thu, Oct 7, 2010 at 10:04 PM, Malte malte@gmail.com wrote: Hi, because I'm using the same library and was not finding the same problems when connecting to site streams I looked for what I was doing differently: Turns out, if one URL encodes the komma in the follow list the OAuth connection works Bye Malte Hi, Yes, another user reported this as a workaround too, I'd still like some clarification from t'twitter as to whether the client is wrong (my current plan will be to 'if-twitter' around the signing code ;) ) Thanks for the heads up though! -cj On 6 Oct, 23:38, JavaJunky ciar...@gmail.com wrote: Hi, The library in question is mine and not unreasonably Ruben has submitted a pull-request with his fix over on github. Unfortunately this fix seems to break existing (working) OAuth consumer relationships :( I'm actually at a bit of a loss how to progress it, I've read:http://dev.twitter.com/pages/auth(Signing Requests) a few times. I've cross-referenced againsthttp://oauth.net/core/1.0a/Sec. 9.1.1 and even double checked againsthttp://tools.ietf.org/html/rfc5849#section-3.4.1 Sec. 3.4.1.3.2 The last two resources appear to agree with each other, that the '=' and the '' that join the parameter name-value pairs should appear in the 'plain' but then get encoded as a whole [which would re-encode any existing '%', hence a crucial difference in the twitter listed strategy] The important bit seems to be in the OAuth 1.0 RFC Section 3.4.1.1. String Construction, point 5: 5. The request parameters as normalized in Section 3.4.1.3.2, after being encoded (Section 3.6). Crucially this suggests to me that that the encoding is applied to the entire normalized string, which the documentation athttp://dev.twitter.com/pages/auth seems to suggest isn't happening on the Twitter side :( It is (more than likely) entirely possible that I'm doing something incredibly stupid and obvious but is there anyone on the twitter side that can confirm that this deviation from the 'spec' is deliberate (or even better for consistency, a minor issue?) Many Thanks (and sorry if I'm wasting your time!) - Cj. On Oct 6, 6:31 pm, Ruben Fonseca fons...@gmail.com wrote: Hi John! On Oct 6, 5:54 pm, John Kalucki j...@twitter.com wrote: It might be an OAuth encoding error with the ','. Which OAuth library are you using? That was exactly the problem! I was using node-oauth (from herehttp://github.com/ciaranj/node-oauth/) and realized the signature was being generated wrong. Patched the library and it now works great!! Thank you!!! -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk