Re: [twitter-dev] Re: Invalid / used nonce
Hi, I've used CFUUID's ( http://developer.apple.com/mac/library/documentation/CoreFoundation/Reference/CFUUIDRef/Reference/reference.html). Apple's documentation states they use a combination of ethernet address and time to generate a unique id. George On Fri, Jul 30, 2010 at 8:53 PM, Tom allerleiga...@gmail.com wrote: Hi Mounir, I'm using this code myself, maybe you can transform it to the language you use. http://www.devonferns.com/cocoablog/?p=45 Tom On Jul 30, 11:32 am, Mounir Regragui reg.mou...@gmail.com wrote: Hello Taylor! I don't think the error has something to do with the access token, because sometimes the error is thrown during my request to retrieve a Request Token. I'm afraid the error has something to do with encodings or something similar. Also, I would like to know if there is an advised way to generate the nonce value. I was using the formula of the OAuth library : it concatenates the timestamp and a random integer value, and then it applies a MD5 hash on it. Maybe you or someone else know another way that works to generate this value. Regards. Mounir Regragui On 29 juil, 18:15, Taylor Singletary taylorsinglet...@twitter.com wrote: Hi Mounir, In this case I'm fairly confident then that it's the Twitter API implementation of OAuth that's at fault here and these invalid nonce errors are spurious for you. While I hate to suggest working around bugs like this, it might be your best strategy -- if you encounter an invalid nonce error, pause for a few moments, regenerate the request with a different nonce and timestamp, and try again. If you find a case where it's repeatably throwing you this error, for example -- you notice that it only happens for a certain access token, or it only happens when you're using certain characters in the POST body or nonce -- then please bring it to our attention. Scalability projects, among other things, have prevented our engineering team from rolling out a reimplementation of our OAuth back end that will fix aggravating issues like these, among other things. Taylor On Thu, Jul 29, 2010 at 12:43 AM, Mounir Regragui reg.mou...@gmail.comwrote: Hello everybody, Yesterday I was exposing an issue I encoutered. My code was working perfectly, and then I started having a 401 error code with this error message : errorInvalid / used nonce/error when I make API calls. I thought it was solved because yesterday I did some API calls that made it through. However this issue is still here today. Actually, when I make API calls (POST, GET or OAuth requests), sometimes everything works fine, sometimes i have the Invalid / used nonce error. As I told Taylor yesterday, I am sure that that the system time is correct (because when I change it, nothing works), and because as I said, when i try to send a request with the exact same code running, sometimes it fails, sometimes it does not. Here are dumps of the communications I tried to send a tweet, had an error :http://pastebin.com/ur2JYtnM A few seconds later, i run the exact same code and it is valid : http://pastebin.com/6knpLHBW (I will reset my key and secret ^^) I really do not know where the issue comes from, because the code was running flawlessly last week! Any kind of help appreciated. Regards. Mounir Regragui
[twitter-dev] Re: Invalid / used nonce
Hello Taylor! I don't think the error has something to do with the access token, because sometimes the error is thrown during my request to retrieve a Request Token. I'm afraid the error has something to do with encodings or something similar. Also, I would like to know if there is an advised way to generate the nonce value. I was using the formula of the OAuth library : it concatenates the timestamp and a random integer value, and then it applies a MD5 hash on it. Maybe you or someone else know another way that works to generate this value. Regards. Mounir Regragui On 29 juil, 18:15, Taylor Singletary taylorsinglet...@twitter.com wrote: Hi Mounir, In this case I'm fairly confident then that it's the Twitter API implementation of OAuth that's at fault here and these invalid nonce errors are spurious for you. While I hate to suggest working around bugs like this, it might be your best strategy -- if you encounter an invalid nonce error, pause for a few moments, regenerate the request with a different nonce and timestamp, and try again. If you find a case where it's repeatably throwing you this error, for example -- you notice that it only happens for a certain access token, or it only happens when you're using certain characters in the POST body or nonce -- then please bring it to our attention. Scalability projects, among other things, have prevented our engineering team from rolling out a reimplementation of our OAuth back end that will fix aggravating issues like these, among other things. Taylor On Thu, Jul 29, 2010 at 12:43 AM, Mounir Regragui reg.mou...@gmail.comwrote: Hello everybody, Yesterday I was exposing an issue I encoutered. My code was working perfectly, and then I started having a 401 error code with this error message : errorInvalid / used nonce/error when I make API calls. I thought it was solved because yesterday I did some API calls that made it through. However this issue is still here today. Actually, when I make API calls (POST, GET or OAuth requests), sometimes everything works fine, sometimes i have the Invalid / used nonce error. As I told Taylor yesterday, I am sure that that the system time is correct (because when I change it, nothing works), and because as I said, when i try to send a request with the exact same code running, sometimes it fails, sometimes it does not. Here are dumps of the communications I tried to send a tweet, had an error :http://pastebin.com/ur2JYtnM A few seconds later, i run the exact same code and it is valid : http://pastebin.com/6knpLHBW (I will reset my key and secret ^^) I really do not know where the issue comes from, because the code was running flawlessly last week! Any kind of help appreciated. Regards. Mounir Regragui
[twitter-dev] Re: Invalid / used nonce
Hi Mounir, I'm using this code myself, maybe you can transform it to the language you use. http://www.devonferns.com/cocoablog/?p=45 Tom On Jul 30, 11:32 am, Mounir Regragui reg.mou...@gmail.com wrote: Hello Taylor! I don't think the error has something to do with the access token, because sometimes the error is thrown during my request to retrieve a Request Token. I'm afraid the error has something to do with encodings or something similar. Also, I would like to know if there is an advised way to generate the nonce value. I was using the formula of the OAuth library : it concatenates the timestamp and a random integer value, and then it applies a MD5 hash on it. Maybe you or someone else know another way that works to generate this value. Regards. Mounir Regragui On 29 juil, 18:15, Taylor Singletary taylorsinglet...@twitter.com wrote: Hi Mounir, In this case I'm fairly confident then that it's the Twitter API implementation of OAuth that's at fault here and these invalid nonce errors are spurious for you. While I hate to suggest working around bugs like this, it might be your best strategy -- if you encounter an invalid nonce error, pause for a few moments, regenerate the request with a different nonce and timestamp, and try again. If you find a case where it's repeatably throwing you this error, for example -- you notice that it only happens for a certain access token, or it only happens when you're using certain characters in the POST body or nonce -- then please bring it to our attention. Scalability projects, among other things, have prevented our engineering team from rolling out a reimplementation of our OAuth back end that will fix aggravating issues like these, among other things. Taylor On Thu, Jul 29, 2010 at 12:43 AM, Mounir Regragui reg.mou...@gmail.comwrote: Hello everybody, Yesterday I was exposing an issue I encoutered. My code was working perfectly, and then I started having a 401 error code with this error message : errorInvalid / used nonce/error when I make API calls. I thought it was solved because yesterday I did some API calls that made it through. However this issue is still here today. Actually, when I make API calls (POST, GET or OAuth requests), sometimes everything works fine, sometimes i have the Invalid / used nonce error. As I told Taylor yesterday, I am sure that that the system time is correct (because when I change it, nothing works), and because as I said, when i try to send a request with the exact same code running, sometimes it fails, sometimes it does not. Here are dumps of the communications I tried to send a tweet, had an error :http://pastebin.com/ur2JYtnM A few seconds later, i run the exact same code and it is valid : http://pastebin.com/6knpLHBW (I will reset my key and secret ^^) I really do not know where the issue comes from, because the code was running flawlessly last week! Any kind of help appreciated. Regards. Mounir Regragui
[twitter-dev] Re: Invalid / used nonce
Hi Taylor. First of all, thank you for the help :) I am almost sure that this is not a Data issue. As I told you, this error happens randomly (unhopefully, it happens very often, 80% of my API calls return with this error today). Also, I did not modify the code I used before, and it was just working flawlessly last week. I did verify the Data in the HTTP header of the twitter response. It is a GMT time. Normally, this should not be an issue, however, I tried to change the time zone of my hardware to have a GMT time, and then I have the same issue, only 20% of my API calls are correct. Also, when I only change one of these, it doesn't work at all. So I think the time of my hardware is not the issue here. Or maybe it is because I'm in France, but, this should not be the issue. I also run my code on different machines : an Android emulator, and several Android devices (Nexus One, Spica ...), and I always have the same problem. I was just about to send you a dump of the communication, but it seems to be working again. (and again, I did not modify the code :) ) I will try again tomorrow, I hope it will be working. Regards On 28 juil, 17:27, Taylor Singletary taylorsinglet...@twitter.com wrote: Hi Mounir, Two things to verify: one is that you are using a timestamp that is within about 5 minutes of our system clocks. We return the current time in a Date HTTP header with every request. Second, verify that you've never used the nonce you are creating for each request -- this is across all requests your API key makes. Are there different machines you run your code on when it works versus when it does not? Thanks, Taylor On Wed, Jul 28, 2010 at 8:12 AM, Mounir Regragui reg.mou...@gmail.comwrote: Hello guys! So I have this issue with Twitter Rest API. My application was working just fine, then, sometimes, when i try to call the api, I receive this error message errorInvalid / used nonce/error The same code runs, and sometimes it works, sometimes it does not. The error can occur during normal API calls (POST GET) but also occurs when trying to authenticate with OAuth. I would like to know if there is a reason to this error, and if there is a way to solve this problem. Any help appreciated. Regards. Mounir Regragui
Re: [twitter-dev] Re: Invalid / used nonce
I would recommend adding some kind of logging so that when you do get a failed request, you know the following: the POST body included in the failed request and the signature base string prior to signing for OAuth. There's a chance that a certain sequence of characters and UTF-8 characters might be causing this issue and not nonces at all (which is obviously dumb behavior, but not unheard of) Taylor On Wed, Jul 28, 2010 at 8:58 AM, Mounir Regragui reg.mou...@gmail.comwrote: Hi Taylor. First of all, thank you for the help :) I am almost sure that this is not a Data issue. As I told you, this error happens randomly (unhopefully, it happens very often, 80% of my API calls return with this error today). Also, I did not modify the code I used before, and it was just working flawlessly last week. I did verify the Data in the HTTP header of the twitter response. It is a GMT time. Normally, this should not be an issue, however, I tried to change the time zone of my hardware to have a GMT time, and then I have the same issue, only 20% of my API calls are correct. Also, when I only change one of these, it doesn't work at all. So I think the time of my hardware is not the issue here. Or maybe it is because I'm in France, but, this should not be the issue. I also run my code on different machines : an Android emulator, and several Android devices (Nexus One, Spica ...), and I always have the same problem. I was just about to send you a dump of the communication, but it seems to be working again. (and again, I did not modify the code :) ) I will try again tomorrow, I hope it will be working. Regards On 28 juil, 17:27, Taylor Singletary taylorsinglet...@twitter.com wrote: Hi Mounir, Two things to verify: one is that you are using a timestamp that is within about 5 minutes of our system clocks. We return the current time in a Date HTTP header with every request. Second, verify that you've never used the nonce you are creating for each request -- this is across all requests your API key makes. Are there different machines you run your code on when it works versus when it does not? Thanks, Taylor On Wed, Jul 28, 2010 at 8:12 AM, Mounir Regragui reg.mou...@gmail.com wrote: Hello guys! So I have this issue with Twitter Rest API. My application was working just fine, then, sometimes, when i try to call the api, I receive this error message errorInvalid / used nonce/error The same code runs, and sometimes it works, sometimes it does not. The error can occur during normal API calls (POST GET) but also occurs when trying to authenticate with OAuth. I would like to know if there is a reason to this error, and if there is a way to solve this problem. Any help appreciated. Regards. Mounir Regragui
[twitter-dev] Re: Invalid / used nonce but only for certain user names?
Hey, We are getting this error, but Twitter is also sending back a valid response. To clarify, if we post an update, the update appears in the timeline but twitter returns a 401 error code (with the nonce message). Same applies to friends timeline sometimes too. Cheers David http://m.tweete.net On Apr 30, 12:46 am, Taylor Singletary taylorsinglet...@twitter.com wrote: We have a weird error condition in the OAuth implementation right now that throws invalid nonce errors when it's not necessarily the issue. We're still tracking what exactly causes this down, but believe that it's not applicable to the OAuth implementation rewrite we'll soon be rolling out. In the meantime, when you get this error and you're fairly certain you've never used the nonce before, if you can provide a signature base string and authorization header corresponding to the failed request it will give us better visibility into possible causation. Thanks! Taylor Singletary Developer Advocate, Twitterhttp://twitter.com/episod On Wed, Apr 28, 2010 at 7:15 PM, Dewald Pretorius dpr...@gmail.com wrote: Cory, I have had similar issues. When you get that 401 error, you need to back off for a second or two, recalculate the nonce, and then resubmit the request. On Apr 28, 10:52 pm, Cory cory.imdi...@gmail.com wrote: Anyone have any ideas about this? I'm really not sure where to go or what to check from here, and I need to get this taken care of. Any information would be appreciated!
Re: [twitter-dev] Re: Invalid / used nonce but only for certain user names?
We have a weird error condition in the OAuth implementation right now that throws invalid nonce errors when it's not necessarily the issue. We're still tracking what exactly causes this down, but believe that it's not applicable to the OAuth implementation rewrite we'll soon be rolling out. In the meantime, when you get this error and you're fairly certain you've never used the nonce before, if you can provide a signature base string and authorization header corresponding to the failed request it will give us better visibility into possible causation. Thanks! Taylor Singletary Developer Advocate, Twitter http://twitter.com/episod On Wed, Apr 28, 2010 at 7:15 PM, Dewald Pretorius dpr...@gmail.com wrote: Cory, I have had similar issues. When you get that 401 error, you need to back off for a second or two, recalculate the nonce, and then resubmit the request. On Apr 28, 10:52 pm, Cory cory.imdi...@gmail.com wrote: Anyone have any ideas about this? I'm really not sure where to go or what to check from here, and I need to get this taken care of. Any information would be appreciated!
[twitter-dev] Re: Invalid / used nonce but only for certain user names?
Anyone have any ideas about this? I'm really not sure where to go or what to check from here, and I need to get this taken care of. Any information would be appreciated!
[twitter-dev] Re: Invalid / used nonce but only for certain user names?
Cory, I have had similar issues. When you get that 401 error, you need to back off for a second or two, recalculate the nonce, and then resubmit the request. On Apr 28, 10:52 pm, Cory cory.imdi...@gmail.com wrote: Anyone have any ideas about this? I'm really not sure where to go or what to check from here, and I need to get this taken care of. Any information would be appreciated!
[twitter-dev] Re: Invalid / used nonce
My trial has worked so far today... not a single invalid nonce error but it's only been 12 hours Simon On Aug 12, 12:59 pm, Rob O'Brien r...@zepoid.com wrote: The interesting thing with my situation is that I'm still in development, so there's only a single person (me) hitting the app. Further, I'm only attempting a single call to Twitter. Also, I get a 401 on everything that requires authentication, but not on something like a rateLimitStatus check. Further, a call to /followers/ids.xml *works* on my local dev box, but not on the production server. The only difference I can think of would be IP address. I've been able to trace 3 separate requests being generated by Twitter4J and here are the values: [Wed Aug 12 10:19:56 PDT 2009] oauth_timestamp=1250097596,oauth_nonce=329444963 [Wed Aug 12 10:20:20 PDT 2009] oauth_timestamp=1250097620,oauth_nonce=173112023 [Wed Aug 12 10:24:39 PDT 2009] oauth_timestamp=1250097879,oauth_nonce=3202768030 Each timestamp is larger than the last and eachnonceis unique. Knowing that my values are legit makes me think there's another problem, but Twitter hasn't responded to my api@ email. Rob O'Brien Web Application Developer Consultant r...@zepoid.com -Original Message- From: twitter-development-talk@googlegroups.com [mailto:twitter-development-t...@googlegroups.com] On Behalf Of Zaudio Sent: Tuesday, August 11, 2009 12:04 PM To: Twitter Development Talk Subject: [twitter-dev] Re: Invalid /usednonce We're having the same issue in our app, occurs sporadically in our logs - but I believe the cause with us is that: We're generatingnoncevalues as a timestamp seeded sequence of random numbers We're creating an instance of the Oauth class that does this for each logged in user for the app Thus, for a single timestamp, it IS possible that the time seedednoncevalues are the same So - corrrective action being trialled: I'm prefixing the 'random'noncevalue with the userID stripped from the start of the token, padded to a fixed length of chars... this should guarantee then that thenonce/timestamp combo is indeed unique for every request made from our app Simon On Aug 11, 6:45 am, Dan Borthwick dan.borthw...@playfish.com wrote: For our app, we successfully call request_token from our server. When we then call statuses/update from the client, we get a 401 'Invalid / usednonce' response. If the request_token call comes directly from the client, the update call succeeds. The nonces have been sanity checked and are definitely different for each call. GET requests to users/show succeed regardless of whether the request_token comes from the proxy server or client. Code is based on MGTwitterEngine-1.0.8-OAuth. The same code was working ok prior to the recent DoS downtime. Perhaps something has been changed on Twitter's side that might result in the 401 response? On Aug 11, 8:38 am, graceawalker grace_blo...@hotmail.com wrote: No, mynonceis definately new every time. Surely if there was something wrong with the way it was being generated it would error during requestToken/accessToken/VerifyCredentials too?? All the code ive looked through is doing it exactly the same way. Is the 'status' parameter beingusedjust like all the oauth parameters? is an 'invalidnonce' error, definately an invalidnonceor could it be to do with the timestamp and timezones. Clutching at straws here... On Aug 11, 3:12 am, Chris Babcock cbabc...@asciiking.com wrote: On Mon, 10 Aug 2009 04:14:43 -0700 (PDT) graceawalker grace_blo...@hotmail.com wrote: I am calling and getting the whole way up to getting the access token just fine in my app (one im writing myself in c#), but when i try and call the update status URL im getting an 'Invalid/usednonce' error in my response data. Im not sure why this is, im calling the update method in the exact same way that i called request token apart from the new 'status' parameter in the query string. I call 'verify credentials' with my access token to ensure that it is working and it sends me back all of the correct data, but it is erroring when trying to update my status. Is there any obvious solution to this, or am i not supposed to be signing and organising the parameters in the same way that i did before? Im really stuck here guys and need help! Right, thenonceis a numberusedonce. Its purpose is to prevent replay attacks. If you use the samenoncefor more than one call to the API then you *should* be getting an error. Chris- Hide quoted text - - Show quoted text -- Hide quoted text - - Show quoted text -
[twitter-dev] Re: Invalid / used nonce
No, my nonce is definately new every time. Surely if there was something wrong with the way it was being generated it would error during requestToken/accessToken/VerifyCredentials too?? All the code ive looked through is doing it exactly the same way. Is the 'status' parameter being used just like all the oauth parameters? is an 'invalid nonce' error, definately an invalid nonce or could it be to do with the timestamp and timezones. Clutching at straws here... On Aug 11, 3:12 am, Chris Babcock cbabc...@asciiking.com wrote: On Mon, 10 Aug 2009 04:14:43 -0700 (PDT) graceawalker grace_blo...@hotmail.com wrote: I am calling and getting the whole way up to getting the access token just fine in my app (one im writing myself in c#), but when i try and call the update status URL im getting an 'Invalid/used nonce' error in my response data. Im not sure why this is, im calling the update method in the exact same way that i called request token apart from the new 'status' parameter in the query string. I call 'verify credentials' with my access token to ensure that it is working and it sends me back all of the correct data, but it is erroring when trying to update my status. Is there any obvious solution to this, or am i not supposed to be signing and organising the parameters in the same way that i did before? Im really stuck here guys and need help! Right, the nonce is a number used once. Its purpose is to prevent replay attacks. If you use the same nonce for more than one call to the API then you *should* be getting an error. Chris
[twitter-dev] Re: Invalid / used nonce
Ive only been trying since friday...do you have any problems calling verifyCredentials or any other methods?? On Aug 10, 4:43 pm, Rob O'Brien r...@zepoid.com wrote: I'm getting the same response. All weekend, I chalked it up to being an issue during recovery of the systems, but I'm still seeing it this morning on 100% of my calls. It was working before the attack. 401:Authentication credentials were missing or incorrect. ?xml version=1.0 encoding=UTF-8? hash request/followers/ids.xml/request errorInvalid / used nonce/error /hash Rob O'Brien Web Application Developer Consultant r...@zepoid.com -Original Message- From: twitter-development-talk@googlegroups.com [mailto:twitter-development-t...@googlegroups.com] On Behalf Of graceawalker Sent: Monday, August 10, 2009 6:15 AM To: Twitter Development Talk Subject: [twitter-dev] Invalid / used nonce I am calling and getting the whole way up to getting the access token just fine in my app (one im writing myself in c#), but when i try and call the update status URL im getting an 'Invalid/used nonce' error in my response data. Im not sure why this is, im calling the update method in the exact same way that i called request token apart from the new 'status' parameter in the query string. I call 'verify credentials' with my access token to ensure that it is working and it sends me back all of the correct data, but it is erroring when trying to update my status. Is there any obvious solution to this, or am i not supposed to be signing and organising the parameters in the same way that i did before? Im really stuck here guys and need help!- Hide quoted text - - Show quoted text -
[twitter-dev] Re: Invalid / used nonce
For our app, we successfully call request_token from our server. When we then call statuses/update from the client, we get a 401 'Invalid / used nonce' response. If the request_token call comes directly from the client, the update call succeeds. The nonces have been sanity checked and are definitely different for each call. GET requests to users/show succeed regardless of whether the request_token comes from the proxy server or client. Code is based on MGTwitterEngine-1.0.8-OAuth. The same code was working ok prior to the recent DoS downtime. Perhaps something has been changed on Twitter's side that might result in the 401 response? On Aug 11, 8:38 am, graceawalker grace_blo...@hotmail.com wrote: No, my nonce is definately new every time. Surely if there was something wrong with the way it was being generated it would error during requestToken/accessToken/VerifyCredentials too?? All the code ive looked through is doing it exactly the same way. Is the 'status' parameter being used just like all the oauth parameters? is an 'invalid nonce' error, definately an invalid nonce or could it be to do with the timestamp and timezones. Clutching at straws here... On Aug 11, 3:12 am, Chris Babcock cbabc...@asciiking.com wrote: On Mon, 10 Aug 2009 04:14:43 -0700 (PDT) graceawalker grace_blo...@hotmail.com wrote: I am calling and getting the whole way up to getting the access token just fine in my app (one im writing myself in c#), but when i try and call the update status URL im getting an 'Invalid/used nonce' error in my response data. Im not sure why this is, im calling the update method in the exact same way that i called request token apart from the new 'status' parameter in the query string. I call 'verify credentials' with my access token to ensure that it is working and it sends me back all of the correct data, but it is erroring when trying to update my status. Is there any obvious solution to this, or am i not supposed to be signing and organising the parameters in the same way that i did before? Im really stuck here guys and need help! Right, the nonce is a number used once. Its purpose is to prevent replay attacks. If you use the same nonce for more than one call to the API then you *should* be getting an error. Chris
[twitter-dev] Re: Invalid / used nonce
We have also been seeing similar behaviour for our iPhone app based on MGTwitterEngine-1.0.8-OAuth. If we call request_token from the client followed by statuses/update, everything works ok. However, if we send the request_token from our server, then statuses/update from the client, a 401 Invalid / used nonce is returned. GET requests to users/show work in either case. The same code was working ok prior to the recent DoS problems, so perhaps something has changed on Twitter's side? On Aug 11, 8:38 am, graceawalker grace_blo...@hotmail.com wrote: No, my nonce is definately new every time. Surely if there was something wrong with the way it was being generated it would error during requestToken/accessToken/VerifyCredentials too?? All the code ive looked through is doing it exactly the same way. Is the 'status' parameter being used just like all the oauth parameters? is an 'invalid nonce' error, definately an invalid nonce or could it be to do with the timestamp and timezones. Clutching at straws here... On Aug 11, 3:12 am, Chris Babcock cbabc...@asciiking.com wrote: On Mon, 10 Aug 2009 04:14:43 -0700 (PDT) graceawalker grace_blo...@hotmail.com wrote: I am calling and getting the whole way up to getting the access token just fine in my app (one im writing myself in c#), but when i try and call the update status URL im getting an 'Invalid/used nonce' error in my response data. Im not sure why this is, im calling the update method in the exact same way that i called request token apart from the new 'status' parameter in the query string. I call 'verify credentials' with my access token to ensure that it is working and it sends me back all of the correct data, but it is erroring when trying to update my status. Is there any obvious solution to this, or am i not supposed to be signing and organising the parameters in the same way that i did before? Im really stuck here guys and need help! Right, the nonce is a number used once. Its purpose is to prevent replay attacks. If you use the same nonce for more than one call to the API then you *should* be getting an error. Chris
[twitter-dev] Re: Invalid / used nonce
We're having the same issue in our app, occurs sporadically in our logs - but I believe the cause with us is that: We're generating nonce values as a timestamp seeded sequence of random numbers We're creating an instance of the Oauth class that does this for each logged in user for the app Thus, for a single timestamp, it IS possible that the time seeded nonce values are the same So - corrrective action being trialled: I'm prefixing the 'random' nonce value with the userID stripped from the start of the token, padded to a fixed length of chars... this should guarantee then that the nonce/timestamp combo is indeed unique for every request made from our app Simon On Aug 11, 6:45 am, Dan Borthwick dan.borthw...@playfish.com wrote: For our app, we successfully call request_token from our server. When we then call statuses/update from the client, we get a 401 'Invalid / usednonce' response. If the request_token call comes directly from the client, the update call succeeds. The nonces have been sanity checked and are definitely different for each call. GET requests to users/show succeed regardless of whether the request_token comes from the proxy server or client. Code is based on MGTwitterEngine-1.0.8-OAuth. The same code was working ok prior to the recent DoS downtime. Perhaps something has been changed on Twitter's side that might result in the 401 response? On Aug 11, 8:38 am, graceawalker grace_blo...@hotmail.com wrote: No, mynonceis definately new every time. Surely if there was something wrong with the way it was being generated it would error during requestToken/accessToken/VerifyCredentials too?? All the code ive looked through is doing it exactly the same way. Is the 'status' parameter being used just like all the oauth parameters? is an 'invalidnonce' error, definately an invalidnonceor could it be to do with the timestamp and timezones. Clutching at straws here... On Aug 11, 3:12 am, Chris Babcock cbabc...@asciiking.com wrote: On Mon, 10 Aug 2009 04:14:43 -0700 (PDT) graceawalker grace_blo...@hotmail.com wrote: I am calling and getting the whole way up to getting the access token just fine in my app (one im writing myself in c#), but when i try and call the update status URL im getting an 'Invalid/usednonce' error in my response data. Im not sure why this is, im calling the update method in the exact same way that i called request token apart from the new 'status' parameter in the query string. I call 'verify credentials' with my access token to ensure that it is working and it sends me back all of the correct data, but it is erroring when trying to update my status. Is there any obvious solution to this, or am i not supposed to be signing and organising the parameters in the same way that i did before? Im really stuck here guys and need help! Right, thenonceis a number used once. Its purpose is to prevent replay attacks. If you use the samenoncefor more than one call to the API then you *should* be getting an error. Chris- Hide quoted text - - Show quoted text -
[twitter-dev] Re: Invalid / used nonce
I'm getting the same response. All weekend, I chalked it up to being an issue during recovery of the systems, but I'm still seeing it this morning on 100% of my calls. It was working before the attack. 401:Authentication credentials were missing or incorrect. ?xml version=1.0 encoding=UTF-8? hash request/followers/ids.xml/request errorInvalid / used nonce/error /hash Rob O'Brien Web Application Developer Consultant r...@zepoid.com -Original Message- From: twitter-development-talk@googlegroups.com [mailto:twitter-development-t...@googlegroups.com] On Behalf Of graceawalker Sent: Monday, August 10, 2009 6:15 AM To: Twitter Development Talk Subject: [twitter-dev] Invalid / used nonce I am calling and getting the whole way up to getting the access token just fine in my app (one im writing myself in c#), but when i try and call the update status URL im getting an 'Invalid/used nonce' error in my response data. Im not sure why this is, im calling the update method in the exact same way that i called request token apart from the new 'status' parameter in the query string. I call 'verify credentials' with my access token to ensure that it is working and it sends me back all of the correct data, but it is erroring when trying to update my status. Is there any obvious solution to this, or am i not supposed to be signing and organising the parameters in the same way that i did before? Im really stuck here guys and need help!
[twitter-dev] Re: Invalid / used nonce
On Mon, 10 Aug 2009 04:14:43 -0700 (PDT) graceawalker grace_blo...@hotmail.com wrote: I am calling and getting the whole way up to getting the access token just fine in my app (one im writing myself in c#), but when i try and call the update status URL im getting an 'Invalid/used nonce' error in my response data. Im not sure why this is, im calling the update method in the exact same way that i called request token apart from the new 'status' parameter in the query string. I call 'verify credentials' with my access token to ensure that it is working and it sends me back all of the correct data, but it is erroring when trying to update my status. Is there any obvious solution to this, or am i not supposed to be signing and organising the parameters in the same way that i did before? Im really stuck here guys and need help! Right, the nonce is a number used once. Its purpose is to prevent replay attacks. If you use the same nonce for more than one call to the API then you *should* be getting an error. Chris
