[twitter-dev] Occasional 401s with correct tokens
For Tweed for webOS, we have a perfectly fine OAuth implementation and most of our requests go through just fine (and have for a few months). However, we get occasional 401s. After digging around a bit we found that correctly-signed requests can timeout on the server side and Twitter returns a 401. So we changed our code to, when it gets a 401 it will immediately retry the request one time. It seems that this approach isn't the best as we're still getting reports from the field that sometimes the requests fail with a 401, when we give the user a your password is out of sync, please re-enter it type of message. What is the *correct* behavior for a 401? thx, --dwf -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk
[twitter-dev] YFrog/ImageShack and invalid username or verification url error
Anyone else seeing this? We're implementing OAuth Echo for uploading photos. We've knocked down Posterous TwitPic with few issues. So we know our signing is working. We now have an ImageShack API key and when we attempt to upload we get this response: ?xml version=1.0 encoding=UTF-8? rsp stat=fail err code=1001 msg= Invalid username or verification URL specified/ /rsp There's one comment on their Google Group with someone else getting this suddenly after having successful code for a while. Thoughts? --dwf
[twitter-dev] OAuth issues with some POSTs only
We're having lots of success with OAuth now, which is great. So far it looks like all our GETs are working just fine. And some of our POSTs - but not all. Here's a POST that works (deleting a user's tweet): url: https://api.twitter.com/1/statuses/destroy.json parameters: {id: 12532480661} Base String: POSThttps%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses%2Fdestroy.jsonid %3D12532480661%26oauth_consumer_key%3D-%26oauth_nonce %3D1274466742322abc143248%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1274466742%26oauth_token%3D- %26oauth_version%3D1.0 AuthHeader: Authorization = OAuth oauth_signature_method=HMAC-SHA1, oauth_nonce=1274466742322abc143248, oauth_timestamp=1274466742, oauth_consumer_key=-, oauth_version=1.0, oauth_token=-, oauth_signature=mg23Yowg9Y40imqcOH9SibMHSHE%3D And here's one that's NOT working (updating a status): url: https://api.twitter.com/1/statuses/update.json parameters: {source: tweed, status: Tweet} BaseString: POSThttps%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses %2Fupdate.jsonoauth_consumer_key%3D---%26oauth_nonce %3D1274466366892abc252116%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1274466366%26oauth_token%- %26oauth_version%3D1.0%26source%3Dtweed%26status%3DTweet AuthHeader: Authorization = OAuth oauth_signature_method=HMAC-SHA1, oauth_nonce=1274466366892abc252116, oauth_timestamp=1274466366, oauth_consumer_key=, oauth_version=1.0, oauth_token=-, oauth_signature=V4HjQU7%2BTYF2MFtkkR7T8OYM54Q %3D The error we get is: { status: 401, responseText: {request:/1/statuses/ update.json,error:Incorrect signature} } Thoughts?
[twitter-dev] Re: OAuth issues with some POSTs only
Just tried removing the source param and we still get the 'incorrect signature' error. Twurl from the command line is just fine. Digging further... --dwf On May 21, 11:54 am, Taylor Singletary taylorsinglet...@twitter.com wrote: Hi DWF, AT first glance there doesn't seem to be anything wrong here that I can see. I do see that you're including a source parameter, which isn't necessary when you are POSTing a status update -- Twitter will just use your registered application name from your client application record for that. What happens when you try the same call without a source parameter? Curious if we're just throwing a lame error here. Taylor Singletary Developer Advocate, Twitterhttp://twitter.com/episod On Fri, May 21, 2010 at 11:34 AM, DWF dwfr...@pivotallabs.com wrote: We're having lots of success with OAuth now, which is great. So far it looks like all our GETs are working just fine. And some of our POSTs - but not all. Here's a POST that works (deleting a user's tweet): url:https://api.twitter.com/1/statuses/destroy.json parameters: {id: 12532480661} Base String: POSThttps%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses%2Fdestroy.jsonid %3D12532480661%26oauth_consumer_key%3D-%26oauth_nonce %3D1274466742322abc143248%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1274466742%26oauth_token%3D- %26oauth_version%3D1.0 AuthHeader: Authorization = OAuth oauth_signature_method=HMAC-SHA1, oauth_nonce=1274466742322abc143248, oauth_timestamp=1274466742, oauth_consumer_key=-, oauth_version=1.0, oauth_token=-, oauth_signature=mg23Yowg9Y40imqcOH9SibMHSHE%3D And here's one that's NOT working (updating a status): url:https://api.twitter.com/1/statuses/update.json parameters: {source: tweed, status: Tweet} BaseString: POSThttps%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses %2Fupdate.jsonoauth_consumer_key%3D---%26oauth_nonce %3D1274466366892abc252116%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1274466366%26oauth_token%- %26oauth_version%3D1.0%26source%3Dtweed%26status%3DTweet AuthHeader: Authorization = OAuth oauth_signature_method=HMAC-SHA1, oauth_nonce=1274466366892abc252116, oauth_timestamp=1274466366, oauth_consumer_key=, oauth_version=1.0, oauth_token=-, oauth_signature=V4HjQU7%2BTYF2MFtkkR7T8OYM54Q %3D The error we get is: { status: 401, responseText: {request:/1/statuses/ update.json,error:Incorrect signature} } Thoughts?
[twitter-dev] Re: OAuth issues with some POSTs only
Hang on, we think we found somethingstop digging for a bit. :) On May 21, 12:11 pm, DWF dwfr...@pivotallabs.com wrote: Just tried removing the source param and we still get the 'incorrect signature' error. Twurl from the command line is just fine. Digging further... --dwf On May 21, 11:54 am, Taylor Singletary taylorsinglet...@twitter.com wrote: Hi DWF, AT first glance there doesn't seem to be anything wrong here that I can see. I do see that you're including a source parameter, which isn't necessary when you are POSTing a status update -- Twitter will just use your registered application name from your client application record for that. What happens when you try the same call without a source parameter? Curious if we're just throwing a lame error here. Taylor Singletary Developer Advocate, Twitterhttp://twitter.com/episod On Fri, May 21, 2010 at 11:34 AM, DWF dwfr...@pivotallabs.com wrote: We're having lots of success with OAuth now, which is great. So far it looks like all our GETs are working just fine. And some of our POSTs - but not all. Here's a POST that works (deleting a user's tweet): url:https://api.twitter.com/1/statuses/destroy.json parameters: {id: 12532480661} Base String: POSThttps%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses%2Fdestroy.jsonid %3D12532480661%26oauth_consumer_key%3D-%26oauth_nonce %3D1274466742322abc143248%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1274466742%26oauth_token%3D- %26oauth_version%3D1.0 AuthHeader: Authorization = OAuth oauth_signature_method=HMAC-SHA1, oauth_nonce=1274466742322abc143248, oauth_timestamp=1274466742, oauth_consumer_key=-, oauth_version=1.0, oauth_token=-, oauth_signature=mg23Yowg9Y40imqcOH9SibMHSHE%3D And here's one that's NOT working (updating a status): url:https://api.twitter.com/1/statuses/update.json parameters: {source: tweed, status: Tweet} BaseString: POSThttps%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses %2Fupdate.jsonoauth_consumer_key%3D---%26oauth_nonce %3D1274466366892abc252116%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1274466366%26oauth_token%- %26oauth_version%3D1.0%26source%3Dtweed%26status%3DTweet AuthHeader: Authorization = OAuth oauth_signature_method=HMAC-SHA1, oauth_nonce=1274466366892abc252116, oauth_timestamp=1274466366, oauth_consumer_key=, oauth_version=1.0, oauth_token=-, oauth_signature=V4HjQU7%2BTYF2MFtkkR7T8OYM54Q %3D The error we get is: { status: 401, responseText: {request:/1/statuses/ update.json,error:Incorrect signature} } Thoughts?
[twitter-dev] Re: Issues getting started with xAuth
SOLVED! The moral of the story is to keep your nonce values SIMPLE. We were generating a random value: Base64.encode('1:' + counter++ + ':' + random + Date.now()); which most of the time resulted in a string that contained an equals sign character, which then gets urlencoded to %3D. It appears the % character was confusing the server and so we kept getting 401s. Our solution is to make a simpler, non-Base64-encoded nonce. NO PERCENTS!!! And all is now well. -dwf On May 12, 3:30 pm, DWF dwfr...@pivotallabs.com wrote: Taylor: Here's what we're sending now. The signature looks like the correct length. But we're getting the same error. POST /oauth/access_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_signature_method=HMAC-SHA1, oauth_nonce=MToxOjQyOTY0NzEyNzM3MDMzMzQwMTU%3D, oauth_timestamp=1273703334, oauth_consumer_key=WFKpuxJsIdVbesPtUAN6w, oauth_version=1.0, oauth_signature=NU%2BLWGJ7lDm2DmPYKkT8P45YsZA%3D Accept: application/json Content-Length: 93 Content-Type: application/x-www-form-urlencoded x%5Fauth%5Fusername=Xx%5Fauth%5Fpassword=Xx%5Fauth %5Fmode=client%5Fauth HTTP/1.1 401 Unauthorized Date: Wed, 12 May 2010 22:29:11 GMT Server: hi Status: 401 Unauthorized X-Transaction: 1273703351-32476-1016 Last-Modified: Wed, 12 May 2010 22:29:11 GMT X-Runtime: 0.01211 Content-Type: text/html; charset=utf-8 Content-Length: 44 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post- check=0 Set-Cookie: k=74.207.226.80.1273703350241947; path=/; expires=Wed, 19- May-10 22:29:10 GMT; domain=.twitter.com Set-Cookie: guest_id=127370335144417010; path=/; expires=Fri, 11 Jun 2010 22:29:11 GMT Set-Cookie: _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCJXEoo4oAToRdHJhbnNfcHJvbXB0MDoHaWQi %250AJWUwNmRiODNlMDlmY2FhNzk3YTE1YWNlODFiMzllZDVjIgpmbGFzaElDOidB %250AY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA-- a76c125e0d8422759ab95667e37db1decdc56861; domain=.twitter.com; path=/ Vary: Accept-Encoding Connection: close Failed to validate oauth signature and token On May 12, 2:56 pm,DWFdwfr...@pivotallabs.com wrote: It turns out that we have a base64 encoding problem, which means our signature actually is bad. Working on it now. --dwf On May 12, 1:06 pm,DWFdwfr...@pivotallabs.com wrote: We just coded up a simple Ruby script to make the same request, building our post body by hand into a string to ensure the escaping (or not) of the params. So we know that going into Net::HTTP the underscores are underscores and NOT %5F's. Same response from the server. --dwf On May 12, 11:14 am, Taylor Singletary taylorsinglet...@twitter.com wrote: Just eyeballing this: your POST body is over-URL encoded. Your POST body should be simply: x_auth_username=Xx_auth_password=Xx_auth_mode=client_auth But the values of each key should be URL escaped (so if there's an email address, username, or password with non-URL safe characters, they would be URL encoded -- and double URL encoded in your signature base string) Otherwise, at first glance anyway, this looks pretty close to right. Taylor Singletary Developer Advocate, Twitterhttp://twitter.com/episod On Wed, May 12, 2010 at 10:58 AM,DWFdwfr...@pivotallabs.com wrote: We're trying this out now think we're approved. But we're still seeing 401s when requesting a user token. (username password hidden with XX below) Here's our base string: POSThttps%3A%2F%2Fapi.twitter.com%2Foauth %2Faccess_tokenoauth_consumer_key%3DWFKpuxJsIdVbesPtUAN6w %26oauth_nonce%3DMTowOjk1NDE2ODEyNzM2ODY1OTM4Mjc%3D %26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp %3D1273686593%26oauth_version%3D1.0%26x_auth_mode%3Dclient_auth %26x_auth_password%3DX%26x_auth_username%3DX Here's our POST (using hurl.it as it looks like twurl doesn't support this API endpoint yet): - POST /oauth/access_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_signature_method=HMAC-SHA1, oauth_nonce=MToxOjEyMzcxNzEyNzM2ODY1OTM4Mjc%3D, oauth_timestamp=1273686593, oauth_consumer_key=WFKpuxJsIdVbesPtUAN6w, oauth_version=1.0, oauth_signature=4f23193590c2b66c5ea23ce5deae9c767998a902 Accept: application/json Content-Length: 93 Content-Type: application/x-www-form-urlencoded x%5Fauth%5Fusername=Xx%5Fauth%5Fpassword=Xx%5Fauth %5Fmode=client%5Fauth - And we're getting this response (sad panda): - HTTP/1.1 401 Unauthorized Date: Wed, 12 May 2010 17:52:11 GMT Server: hi Status: 401 Unauthorized X-Transaction: 1273686731-92894-17698 Last-Modified: Wed, 12 May 2010 17:52:11 GMT X-Runtime: 0.03752 Content-Type: text/html; charset=utf-8 Content-Length
[twitter-dev] Doc Bug: statuses/mentions claims to NOT require authentication, but it does
http://dev.twitter.com/doc/get/statuses/mentions This API doesn't take a parameter for a username so it's only available via an auth call. We tried to hit http://api.twitter.com/1/statuses/mentions.json via Hurl.it and got a 401. Which means that the doc is wrong wrt auth URL. --dwf
[twitter-dev] Issues getting started with xAuth
We're trying this out now think we're approved. But we're still seeing 401s when requesting a user token. (username password hidden with XX below) Here's our base string: POSThttps%3A%2F%2Fapi.twitter.com%2Foauth %2Faccess_tokenoauth_consumer_key%3DWFKpuxJsIdVbesPtUAN6w %26oauth_nonce%3DMTowOjk1NDE2ODEyNzM2ODY1OTM4Mjc%3D %26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp %3D1273686593%26oauth_version%3D1.0%26x_auth_mode%3Dclient_auth %26x_auth_password%3DX%26x_auth_username%3DX Here's our POST (using hurl.it as it looks like twurl doesn't support this API endpoint yet): - POST /oauth/access_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_signature_method=HMAC-SHA1, oauth_nonce=MToxOjEyMzcxNzEyNzM2ODY1OTM4Mjc%3D, oauth_timestamp=1273686593, oauth_consumer_key=WFKpuxJsIdVbesPtUAN6w, oauth_version=1.0, oauth_signature=4f23193590c2b66c5ea23ce5deae9c767998a902 Accept: application/json Content-Length: 93 Content-Type: application/x-www-form-urlencoded x%5Fauth%5Fusername=Xx%5Fauth%5Fpassword=Xx%5Fauth %5Fmode=client%5Fauth - And we're getting this response (sad panda): - HTTP/1.1 401 Unauthorized Date: Wed, 12 May 2010 17:52:11 GMT Server: hi Status: 401 Unauthorized X-Transaction: 1273686731-92894-17698 Last-Modified: Wed, 12 May 2010 17:52:11 GMT X-Runtime: 0.03752 Content-Type: text/html; charset=utf-8 Content-Length: 44 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post- check=0 Set-Cookie: k=74.207.226.80.1273686729321903; path=/; expires=Wed, 19- May-10 17:52:09 GMT; domain=.twitter.com Set-Cookie: guest_id=127368673134928431; path=/; expires=Fri, 11 Jun 2010 17:52:11 GMT Set-Cookie: _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCFUqpY0oAToRdHJhbnNfcHJvbXB0MDoHaWQi %250AJTc1OGJjN2ZjODIwYWNhYzY3NjJlZGQzYWFjNTFlYmEyIgpmbGFzaElDOidB %250AY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA-- ab999812f9cfb9a01a8095a2e3d0f84fd9c1e0d7; domain=.twitter.com; path=/ Vary: Accept-Encoding Connection: close Failed to validate oauth signature and token This look familiar to anyone? Thanks, --dwf
[twitter-dev] Re: Issues getting started with xAuth
We just coded up a simple Ruby script to make the same request, building our post body by hand into a string to ensure the escaping (or not) of the params. So we know that going into Net::HTTP the underscores are underscores and NOT %5F's. Same response from the server. --dwf On May 12, 11:14 am, Taylor Singletary taylorsinglet...@twitter.com wrote: Just eyeballing this: your POST body is over-URL encoded. Your POST body should be simply: x_auth_username=Xx_auth_password=Xx_auth_mode=client_auth But the values of each key should be URL escaped (so if there's an email address, username, or password with non-URL safe characters, they would be URL encoded -- and double URL encoded in your signature base string) Otherwise, at first glance anyway, this looks pretty close to right. Taylor Singletary Developer Advocate, Twitterhttp://twitter.com/episod On Wed, May 12, 2010 at 10:58 AM, DWF dwfr...@pivotallabs.com wrote: We're trying this out now think we're approved. But we're still seeing 401s when requesting a user token. (username password hidden with XX below) Here's our base string: POSThttps%3A%2F%2Fapi.twitter.com%2Foauth %2Faccess_tokenoauth_consumer_key%3DWFKpuxJsIdVbesPtUAN6w %26oauth_nonce%3DMTowOjk1NDE2ODEyNzM2ODY1OTM4Mjc%3D %26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp %3D1273686593%26oauth_version%3D1.0%26x_auth_mode%3Dclient_auth %26x_auth_password%3DX%26x_auth_username%3DX Here's our POST (using hurl.it as it looks like twurl doesn't support this API endpoint yet): - POST /oauth/access_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_signature_method=HMAC-SHA1, oauth_nonce=MToxOjEyMzcxNzEyNzM2ODY1OTM4Mjc%3D, oauth_timestamp=1273686593, oauth_consumer_key=WFKpuxJsIdVbesPtUAN6w, oauth_version=1.0, oauth_signature=4f23193590c2b66c5ea23ce5deae9c767998a902 Accept: application/json Content-Length: 93 Content-Type: application/x-www-form-urlencoded x%5Fauth%5Fusername=Xx%5Fauth%5Fpassword=Xx%5Fauth %5Fmode=client%5Fauth - And we're getting this response (sad panda): - HTTP/1.1 401 Unauthorized Date: Wed, 12 May 2010 17:52:11 GMT Server: hi Status: 401 Unauthorized X-Transaction: 1273686731-92894-17698 Last-Modified: Wed, 12 May 2010 17:52:11 GMT X-Runtime: 0.03752 Content-Type: text/html; charset=utf-8 Content-Length: 44 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post- check=0 Set-Cookie: k=74.207.226.80.1273686729321903; path=/; expires=Wed, 19- May-10 17:52:09 GMT; domain=.twitter.com Set-Cookie: guest_id=127368673134928431; path=/; expires=Fri, 11 Jun 2010 17:52:11 GMT Set-Cookie: _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCFUqpY0oAToRdHJhbnNfcHJvbXB0MDoHaWQi %250AJTc1OGJjN2ZjODIwYWNhYzY3NjJlZGQzYWFjNTFlYmEyIgpmbGFzaElDOidB %250AY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA-- ab999812f9cfb9a01a8095a2e3d0f84fd9c1e0d7; domain=.twitter.com; path=/ Vary: Accept-Encoding Connection: close Failed to validate oauth signature and token This look familiar to anyone? Thanks, --dwf
[twitter-dev] Re: Issues getting started with xAuth
It turns out that we have a base64 encoding problem, which means our signature actually is bad. Working on it now. --dwf On May 12, 1:06 pm, DWF dwfr...@pivotallabs.com wrote: We just coded up a simple Ruby script to make the same request, building our post body by hand into a string to ensure the escaping (or not) of the params. So we know that going into Net::HTTP the underscores are underscores and NOT %5F's. Same response from the server. --dwf On May 12, 11:14 am, Taylor Singletary taylorsinglet...@twitter.com wrote: Just eyeballing this: your POST body is over-URL encoded. Your POST body should be simply: x_auth_username=Xx_auth_password=Xx_auth_mode=client_auth But the values of each key should be URL escaped (so if there's an email address, username, or password with non-URL safe characters, they would be URL encoded -- and double URL encoded in your signature base string) Otherwise, at first glance anyway, this looks pretty close to right. Taylor Singletary Developer Advocate, Twitterhttp://twitter.com/episod On Wed, May 12, 2010 at 10:58 AM, DWF dwfr...@pivotallabs.com wrote: We're trying this out now think we're approved. But we're still seeing 401s when requesting a user token. (username password hidden with XX below) Here's our base string: POSThttps%3A%2F%2Fapi.twitter.com%2Foauth %2Faccess_tokenoauth_consumer_key%3DWFKpuxJsIdVbesPtUAN6w %26oauth_nonce%3DMTowOjk1NDE2ODEyNzM2ODY1OTM4Mjc%3D %26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp %3D1273686593%26oauth_version%3D1.0%26x_auth_mode%3Dclient_auth %26x_auth_password%3DX%26x_auth_username%3DX Here's our POST (using hurl.it as it looks like twurl doesn't support this API endpoint yet): - POST /oauth/access_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_signature_method=HMAC-SHA1, oauth_nonce=MToxOjEyMzcxNzEyNzM2ODY1OTM4Mjc%3D, oauth_timestamp=1273686593, oauth_consumer_key=WFKpuxJsIdVbesPtUAN6w, oauth_version=1.0, oauth_signature=4f23193590c2b66c5ea23ce5deae9c767998a902 Accept: application/json Content-Length: 93 Content-Type: application/x-www-form-urlencoded x%5Fauth%5Fusername=Xx%5Fauth%5Fpassword=Xx%5Fauth %5Fmode=client%5Fauth - And we're getting this response (sad panda): - HTTP/1.1 401 Unauthorized Date: Wed, 12 May 2010 17:52:11 GMT Server: hi Status: 401 Unauthorized X-Transaction: 1273686731-92894-17698 Last-Modified: Wed, 12 May 2010 17:52:11 GMT X-Runtime: 0.03752 Content-Type: text/html; charset=utf-8 Content-Length: 44 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post- check=0 Set-Cookie: k=74.207.226.80.1273686729321903; path=/; expires=Wed, 19- May-10 17:52:09 GMT; domain=.twitter.com Set-Cookie: guest_id=127368673134928431; path=/; expires=Fri, 11 Jun 2010 17:52:11 GMT Set-Cookie: _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCFUqpY0oAToRdHJhbnNfcHJvbXB0MDoHaWQi %250AJTc1OGJjN2ZjODIwYWNhYzY3NjJlZGQzYWFjNTFlYmEyIgpmbGFzaElDOidB %250AY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA-- ab999812f9cfb9a01a8095a2e3d0f84fd9c1e0d7; domain=.twitter.com; path=/ Vary: Accept-Encoding Connection: close Failed to validate oauth signature and token This look familiar to anyone? Thanks, --dwf
[twitter-dev] Re: Issues getting started with xAuth
Taylor: Here's what we're sending now. The signature looks like the correct length. But we're getting the same error. POST /oauth/access_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_signature_method=HMAC-SHA1, oauth_nonce=MToxOjQyOTY0NzEyNzM3MDMzMzQwMTU%3D, oauth_timestamp=1273703334, oauth_consumer_key=WFKpuxJsIdVbesPtUAN6w, oauth_version=1.0, oauth_signature=NU%2BLWGJ7lDm2DmPYKkT8P45YsZA%3D Accept: application/json Content-Length: 93 Content-Type: application/x-www-form-urlencoded x%5Fauth%5Fusername=Xx%5Fauth%5Fpassword=Xx%5Fauth %5Fmode=client%5Fauth HTTP/1.1 401 Unauthorized Date: Wed, 12 May 2010 22:29:11 GMT Server: hi Status: 401 Unauthorized X-Transaction: 1273703351-32476-1016 Last-Modified: Wed, 12 May 2010 22:29:11 GMT X-Runtime: 0.01211 Content-Type: text/html; charset=utf-8 Content-Length: 44 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post- check=0 Set-Cookie: k=74.207.226.80.1273703350241947; path=/; expires=Wed, 19- May-10 22:29:10 GMT; domain=.twitter.com Set-Cookie: guest_id=127370335144417010; path=/; expires=Fri, 11 Jun 2010 22:29:11 GMT Set-Cookie: _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCJXEoo4oAToRdHJhbnNfcHJvbXB0MDoHaWQi %250AJWUwNmRiODNlMDlmY2FhNzk3YTE1YWNlODFiMzllZDVjIgpmbGFzaElDOidB %250AY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA-- a76c125e0d8422759ab95667e37db1decdc56861; domain=.twitter.com; path=/ Vary: Accept-Encoding Connection: close Failed to validate oauth signature and token On May 12, 2:56 pm, DWF dwfr...@pivotallabs.com wrote: It turns out that we have a base64 encoding problem, which means our signature actually is bad. Working on it now. --dwf On May 12, 1:06 pm, DWF dwfr...@pivotallabs.com wrote: We just coded up a simple Ruby script to make the same request, building our post body by hand into a string to ensure the escaping (or not) of the params. So we know that going into Net::HTTP the underscores are underscores and NOT %5F's. Same response from the server. --dwf On May 12, 11:14 am, Taylor Singletary taylorsinglet...@twitter.com wrote: Just eyeballing this: your POST body is over-URL encoded. Your POST body should be simply: x_auth_username=Xx_auth_password=Xx_auth_mode=client_auth But the values of each key should be URL escaped (so if there's an email address, username, or password with non-URL safe characters, they would be URL encoded -- and double URL encoded in your signature base string) Otherwise, at first glance anyway, this looks pretty close to right. Taylor Singletary Developer Advocate, Twitterhttp://twitter.com/episod On Wed, May 12, 2010 at 10:58 AM, DWF dwfr...@pivotallabs.com wrote: We're trying this out now think we're approved. But we're still seeing 401s when requesting a user token. (username password hidden with XX below) Here's our base string: POSThttps%3A%2F%2Fapi.twitter.com%2Foauth %2Faccess_tokenoauth_consumer_key%3DWFKpuxJsIdVbesPtUAN6w %26oauth_nonce%3DMTowOjk1NDE2ODEyNzM2ODY1OTM4Mjc%3D %26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp %3D1273686593%26oauth_version%3D1.0%26x_auth_mode%3Dclient_auth %26x_auth_password%3DX%26x_auth_username%3DX Here's our POST (using hurl.it as it looks like twurl doesn't support this API endpoint yet): - POST /oauth/access_token HTTP/1.1 Host: api.twitter.com Authorization: OAuth oauth_signature_method=HMAC-SHA1, oauth_nonce=MToxOjEyMzcxNzEyNzM2ODY1OTM4Mjc%3D, oauth_timestamp=1273686593, oauth_consumer_key=WFKpuxJsIdVbesPtUAN6w, oauth_version=1.0, oauth_signature=4f23193590c2b66c5ea23ce5deae9c767998a902 Accept: application/json Content-Length: 93 Content-Type: application/x-www-form-urlencoded x%5Fauth%5Fusername=Xx%5Fauth%5Fpassword=Xx%5Fauth %5Fmode=client%5Fauth - And we're getting this response (sad panda): - HTTP/1.1 401 Unauthorized Date: Wed, 12 May 2010 17:52:11 GMT Server: hi Status: 401 Unauthorized X-Transaction: 1273686731-92894-17698 Last-Modified: Wed, 12 May 2010 17:52:11 GMT X-Runtime: 0.03752 Content-Type: text/html; charset=utf-8 Content-Length: 44 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post- check=0 Set-Cookie: k=74.207.226.80.1273686729321903; path=/; expires=Wed, 19- May-10 17:52:09 GMT; domain=.twitter.com Set-Cookie: guest_id=127368673134928431; path=/; expires=Fri, 11 Jun 2010 17:52:11 GMT Set-Cookie: _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCFUqpY0oAToRdHJhbnNfcHJvbXB0MDoHaWQi %250AJTc1OGJjN2ZjODIwYWNhYzY3NjJlZGQzYWFjNTFlYmEyIgpmbGFzaElDOidB %250AY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA