Re: [twitter-dev] 401 Unauthorized responses on OAUTH

[Scott Wilcox]

Ryan's just told me they're currently aware of the issue and looking into it.

On 18 Mar 2011, at 19:13, Ninjamonk wrote:

> I am also getting these problems. They have been on and off all day.
> 
> The same code works fine and 5 mins later it throws 401's and its been
> working for 6 months no problem.

-- 
Twitter developer documentation and resources: http://dev.twitter.com/doc
API updates via Twitter: http://twitter.com/twitterapi
Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list
Change your membership to this group: 
http://groups.google.com/group/twitter-development-talk

[twitter-dev] 401 Unauthorized responses on OAUTH

[@IDisposable]

We're getting a ton of 401 errors when people are trying to OAuth
against some of our sites.  These sites have been in production for
years (and one new one went up yesterday).  When we get the error, we
get no message in the Response.  From the client perspective, it
happens when you click the "Allow" button and Twitter redirects back
to us. I've checked all the usual things

1) Server clock is synced correctly to nist time (and the server runs
in UTC, so no timezone/DST issues)
2) The servers haven't had any recent patches.
3) Same applications were working fine and haven't been changed
(except the new site)
4) We get the same issues no matter what user we're logged into
Twitter as.
5) We get the same issues even when running from the Amazon EC2
instance (IP whitelisted) or our QA servers (also IP whitelisted) or
from development machines (not whitelisted).
6) Occasionally (1 in 20 or worse) we get a success.
7) Nonce values are NOT being reused and we're (still) using
DotNetOAuth for the library to handle that part (no change)
8) Happens on all of these:
http://stlindex.com  (application under @STLIndex)
http://stltweets.com (application under @STLTweets)
http://loufesttweets.com (application under @LouFestTweets)
http://taste.stltweets.com (application under @STLTweets)

Typical failure:

REQUEST Headers: (https://twitter.com:443/)
Authorization: OAuth
oauth_verifier="fRSn84gupR7TFAW5G5ySm4c2LmuvD9x8ZckCHIEA",
oauth_token="MfgvKyS4Vgxy8c1kNgw7h3owkpAlzdqG223DTIs8vc",
oauth_consumer_key="MliXkE6e4kCJY2U10OH8sQ",
oauth_nonce="gkJy165f",
oauth_signature_method="HMAC-SHA1",
oauth_signature="9tRuLd55El37hJ2fqJs2cJVREaM%3D",
oauth_version="1.0",
oauth_timestamp="1300464048"
User-Agent: DotNetOpenAuth/3.4.5.10201
Host: twitter.com

RESPONSE:
Status: 401 Unauthorized
X-Transaction: 1300464048-3423-38581
X-Runtime: 0.00544
Pragma: no-cache
X-Revision: DEV
Content-Length: 1
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-
check=0
Content-Type: text/html; charset=utf-8
Date: Fri, 18 Mar 2011 16:00:48 GMT
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Last-Modified: Fri, 18 Mar 2011 16:00:48 GMT
Set-Cookie: k=208.82.145.5.1300464048881173; path=/; expires=Fri, 25-
Mar-11 16:00:48 GMT;
domain=.twitter.com,guest_id=13004640478451; path=/; expires=Sun,
17 Apr 2011 16:00:48 GMT,
_twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCPmasskuAToHaWQiJWFkNDcxMzE2Yjg1YmIy
%250ANDkzMGFkMWI3YmM5NTZlNDA5IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy
%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--1c8558a834ffe3d40ae9be1bed2360f83555f5ae;
domain=.twitter.com; path=/; HttpOnly
Server: hi
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding

-- 
Twitter developer documentation and resources: http://dev.twitter.com/doc
API updates via Twitter: http://twitter.com/twitterapi
Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list
Change your membership to this group: 
http://groups.google.com/group/twitter-development-talk