subject:"Re\: \[twitter\-dev\] Re\: Incorrect signature when calling update url \/1\/statuses\/update.xml"

Re: [twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

2010-05-20 Thread Mike Dice

Thanks a lot Cameron! I was just sitting down to write my lib, planning on
doing as you suggest below.

On Thu, May 20, 2010 at 5:06 PM, Cameron Kaiser wrote:

> > I will write my own if I have to. But before I do, I'd like to understand
> as
> > many details as possible about the specifics of Twitter's RFC 3986
> behavior.
>
> This is the regex I'm using, which is known to work:
>
>$x =~ s/([^-0-9a-zA-Z._~])/"%".uc(unpack("H2",$1))/eg;
>
> In short, letters, numbers, and the set of -._~ are NOT URL encoded.
> Everything else is.
>
> Note this routine is not 100% UTF-8 safe as written; I have other code
> that handles that, so you may need to do that as your library warrants.
>
> --
>  personal:
> http://www.cameronkaiser.com/ --
>  Cameron Kaiser * Floodgap Systems * www.floodgap.com *
> ckai...@floodgap.com
> -- People are weird. -- Law & Order SVU
> ---
>

Re: [twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

2010-05-20 Thread Cameron Kaiser

> I will write my own if I have to. But before I do, I'd like to understand as
> many details as possible about the specifics of Twitter's RFC 3986 behavior.

This is the regex I'm using, which is known to work:

$x =~ s/([^-0-9a-zA-Z._~])/"%".uc(unpack("H2",$1))/eg;

In short, letters, numbers, and the set of -._~ are NOT URL encoded. 
Everything else is.

Note this routine is not 100% UTF-8 safe as written; I have other code
that handles that, so you may need to do that as your library warrants.

-- 
 personal: http://www.cameronkaiser.com/ --
  Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com
-- People are weird. -- Law & Order SVU ---

Re: [twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

2010-05-20 Thread Mike Dice

I will write my own if I have to. But before I do, I'd like to understand as
many details as possible about the specifics of Twitter's RFC 3986 behavior.
In my experience with RFC specs, they usually provide a lot of detail but
they almost always leave some of those details to be interpreted by
implementors and those interpretations are not always the same. No spec is
perfect.

On Thu, May 20, 2010 at 1:28 PM, Cameron Kaiser wrote:

> > FYI - I am writing a .Net based library and so I currently use
> > System.Uri.EscapeDataString<
> http://msdn.microsoft.com/en-us/library/system.uri.escapedatastring.aspx
> >to
> > do my escaping
>
> I don't know what that routine is, but if it's not RFC 3986 compliant, it
> won't work. You might want to roll your own, it's a couple lines of code
> and a regex.
>
> --
>  personal:
> http://www.cameronkaiser.com/ --
>  Cameron Kaiser * Floodgap Systems * www.floodgap.com *
> ckai...@floodgap.com
> -- "EH! STEVE!"
> ---
>

Re: [twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

2010-05-20 Thread Kathy ann Scott

my code 401 . 






From: Cameron Kaiser 
To: twitter-development-talk@googlegroups.com
Sent: Thu, May 20, 2010 1:28:44 PM
Subject: Re: [twitter-dev] Re: Incorrect signature when calling update url   
/1/statuses/update.xml

> FYI - I am writing a .Net based library and so I currently use
> System.Uri.EscapeDataString<http://msdn.microsoft.com/en-us/library/system.uri.escapedatastring.aspx>to
> do my escaping

I don't know what that routine is, but if it's not RFC 3986 compliant, it
won't work. You might want to roll your own, it's a couple lines of code
and a regex.

-- 
 personal: http://www.cameronkaiser.com/ --
  Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com
-- "EH! STEVE!" ---

Re: [twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

2010-05-20 Thread Cameron Kaiser

> FYI - I am writing a .Net based library and so I currently use
> System.Uri.EscapeDataStringto
> do my escaping

I don't know what that routine is, but if it's not RFC 3986 compliant, it
won't work. You might want to roll your own, it's a couple lines of code
and a regex.

-- 
 personal: http://www.cameronkaiser.com/ --
  Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com
-- "EH! STEVE!" ---

Re: [twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

2010-05-20 Thread Taylor Singletary

Hi Onn,

It's best to consider all space characters as %20 when building both your
POST body and signature base string -- instead of using " " or "+", just get
right down to it as "%20".

I'll show you how a pretty varied string of characters would be correctly
encoded both for the POST body and signature base string:

Given that you want to set a status that says: "I can tweet many kinds of
characters ! (* $ @ 漢字 عربي)"

Your POST body should have that string encoded as:

status=I%20can%20tweet%20many%20kinds%20of%20characters%20%21%20%28%2A%20%24%20%40%20%E6%BC%A2%E5%AD%97%20%D8%B9%D8%B1%D8%A8%D9%8A%29

Which when passed into your Signature Base String will get URL escaped
again:

POST&http%3A%2F%2Fapi.twitter.com
%2F1%2Fstatuses%2Fupdate.xml&oauth_consumer_key%3Dri8JxYK2ddwSV5xIUfNNvQ%26oauth_nonce%3DFt6p0YgKlI2Htdk3WLE4mthwQXVpWc9Nv9ApzoQKUg%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1274362505%26oauth_token%3D119476949-gF0B5O1Wwa2UqqIwopAhQtQVTzmfSIOSiHQS7Vf8%26oauth_version%3D1.0%26status%3DI%2520can%2520tweet%2520many%2520kinds%2520of%2520characters%2520%2521%2520%2528%252A%2520%2524%2520%2540%2520%25E6%25BC%25A2%25E5%25AD%2597%2520%25D8%25B9%25D8%25B1%25D8%25A8%25D9%258A%2529

The Content-Length for that fully-encoded POST body will be: 69

And when Twitter spits the status back at you, in my case in XML:


  Thu May 20 13:35:04 + 2010
  14361447181
  I can tweet many kinds of characters ! (* $ @ 漢字
عربي)
  Crying Indian
  false
  
  
  false
  
  
119476949
OAuth Dancer
oauth_dancer
San Francisco, CA


http://a3.twimg.com/profile_images/730275945/oauth-dancer_normal.jpg

http://bit.ly/oauth-dancer
false
11
C0DEED
33
0084B4
DDEEF6
C0DEED
11
Wed Mar 03 19:37:35 + 2010
0



http://a3.twimg.com/profile_background_images/80151733/oauth-dance.png

true
false
false
false
false
31
en
false
  
  
  
  
  


Hope this helps.

Taylor

On Thu, May 20, 2010 at 5:03 AM, Onn E  wrote:

> Hi Taylor,
>
> I am using Curl to update status.
> I use POST method.
> The new status is not included in the headers, but is included in the
> POST body and in the signature base string.
> Also (and this Curl does automatically for me) I am sending the
> following header:
>  Content-Type: application/x-www-form-urlencoded.
> My new status value is URL encoded (UTF-8).
>
> And now to the business itself:
> I know my signature method is correct since I am able to update single
> word statuses with no special characters, such as: "hello", "ok",
> "magnificent" and such. They work just fine.
> But when trying to update statuses with characters such as: " ", "!",
> "@". It will throw me with a 401:
>  {"request":"/1/statuses/update.json","error":"Incorrect
> signature"}
>
> I'm attaching here the curl verbose:
>
>
>
> "
>
> curl -v -X POST -H 'Authorization: OAuth
> oauth_nonce="5671352764895675466", oauth_signature_method="HMAC-SHA1",
> oauth_timestamp="1274355202", oauth_consumer="**",
> oauth_signature="**",
> oauth_version="1.0",
> oauth_token="**"' -d
> "status=magnificent" https://api.twitter.com/1/statuses/update.json
> * About to connect() to api.twitter.com port 443 (#0)
> *   Trying 128.242.240.61... connected
> * Connected to api.twitter.com (128.242.240.61) port 443 (#0)
> * successfully set certificate verify locations:
> *   CAfile: none
>  CApath: /etc/ssl/certs
> * SSLv3, TLS handshake, Client hello (1):
> * SSLv3, TLS handshake, Server hello (2):
> * SSLv3, TLS handshake, CERT (11):
> * SSLv3, TLS handshake, Server finished (14):
> * SSLv3, TLS handshake, Client key exchange (16):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv3, TLS handshake, Finished (20):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv3, TLS handshake, Finished (20):
> * SSL connection using AES256-SHA
> * Server certificate:
> *subject: C=US; O=*.twitter.com; OU=GT57932074; OU=See
> www.rapidssl.com/resources/cps (c)09; OU=Domain Control Validated -
> RapidSSL(R); CN=*.twitter.com
> *start date: 2009-05-26 12:14:57 GMT
> *expire date: 2010-07-27 06:10:16 GMT
> *common name: *.twitter.com (matched)
> *issuer: C=US; O=Equifax Secure Inc.; CN=Equifax Secure Global
> eBusiness CA-1
> *SSL certificate verify ok.
> > POST /1/statuses/update.json HTTP/1.1
> > User-Agent: curl/7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k
> zlib/1.2.3.3 libidn/1.15
> > Host: api.twitter.com
> > Accept: */*
> > Authorization: OAuth oauth_nonce="5671352764895675466",
> oauth_signature_method="HMAC-SHA1", oauth_timestamp="1274355202",
> oauth_consumer_key="**",
> oauth_signature="**",
> oauth_version="1.0", oauth_token="*

Re: [twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

2010-05-17 Thread pablo fernandez

Good to hear that you got it working! :D

Oh and it's "Pablo" by the way, hehehe.

On Mon, May 17, 2010 at 1:34 PM, Gero  wrote:

> Got it solved now. I upgraded to the 0.6.6 version and added the
> status update as a body parameter (instead of header). (Pable gave me
> that tip).
>
> The working (Scala) code is now:
>  val accessToken2 = scribe.getAccessToken(new Token(token,
> tokenSecret), oaverifier)
>  val request2 = new Request(Verb.POST, "http://twitter.com/
> statuses/update.xml")
>  request2.addBodyParameter("status", "test update" +
> System.currentTimeMillis)
>  scribe.signRequest(request2, accessToken2)
>
>  val response2 = request2.send()
>
> Gero
>
> On May 17, 3:46 pm, Taylor Singletary 
> wrote:
> > Hi Gero,
> >
> > This particular issue looked to have been caused by a quirk in the way
> that
> > the Scribe library was encoding spaces. The library has since been
> updated
> > by the author.
> >
> > However, if you're still having the issue in another implementation, I'll
> be
> > happy to help. Can you share the POST body of the request and your
> signature
> > base string of when you're having the issue?
> >
> > Taylor Singletary
> > Developer Advocate, Twitterhttp://twitter.com/episod
> >
> >
> >
> > On Mon, May 17, 2010 at 12:12 AM, Gero  wrote:
> > > Hi,
> >
> > > Any updates on this issue? I'm running into the same problem and have
> > > not yet been able to resolve it.
> >
> > > Regards,
> > > Gero
> >
> > > On May 1, 12:42 am, Taylor Singletary 
> > > wrote:
> > > > Hi Pablo,
> >
> > > > Thanks for chiming in about Scribe. I'll take a look again soon at
> Scribe
> > > > and see if I can ascertain its potential fault (or our own if that is
> the
> > > > case).
> >
> > > > Keep up the good work on your OAuth library, Pablo! :)
> >
> > > > Taylor Singletary
> > > > Developer Advocate, Twitterhttp://twitter.com/episod
> >
> > > > On Fri, Apr 30, 2010 at 3:31 PM, Pablo Fernandez <
> > > fernandezpabl...@gmail.com
> >
> > > > > wrote:
> > > > > Hi Taylor!
> >
> > > > > I believe Rahul is having this problem while using my library
> (http://
> > > > > github.com/fernandezpablo85/scribe)
> >
> > > > > I've tested myself, I'm pretty sure the error lies in my code but I
> > > > > can't tell why :S
> >
> > > > > Here's the string that gets signed and the OAuth header in case
> that
> > > > > helps!
> >
> > > > > String to sign >>
> >
> > > > > POST&http%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses
> > > > >
> %2Fupdate.xml&oauth_consumer_key%3D6icbcAXyZx67r8uTAUM5Qw%26oauth_nonce
> > > > >
> %3D32c0b090041a4b233a36590a10c8749e%26oauth_signature_method%3DHMAC-
> > > > > SHA1%26oauth_timestamp%3D127248%26oauth_token%3D14654522-
> > > > >
> ayJ064ck0Gtp1ABmjVVxMqd0OcgIG0fMRPFxN00E%26oauth_version%3D1.0%26status
> > > > > %3DScribe%2520works.%2520Hell%2520yeah%2521
> >
> > > > > OAuth header >>
> >
> > > > > OAuth oauth_consumer_key="6icbcAXyZx67r8uTAUM5Qw",
> > > > > oauth_nonce="32c0b090041a4b233a36590a10c8749e",
> > > > > oauth_signature="hmzME2L2qAmzRYOj5P%2BBcja9ECg%3D",
> > > > > oauth_signature_method="HMAC-SHA1", oauth_timestamp="127248",
> > > > > oauth_token="14654522-ayJ064ck0Gtp1ABmjVVxMqd0OcgIG0fMRPFxN00E",
> > > > > oauth_version="1.0"
> >
> > > > > Pablo
> >
> > > > > PS: Kudos for developer.twitter.com. the site rocks!
> >
> > > > > On Apr 30, 3:34 pm, Rahul  wrote:
> > > > > > Taylor,
> >
> > > > > > Here you go. I have tried adding the content type as follows.
> >
> > > > > > conn.setRequestProperty("Content-Type", "application/x-www-form-
> > > > > > urlencoded");
> >
> > > > > > But this doesn't help at all and i still continue receiving the
> same
> > > > > > error of incorrect signature.
> >
> > > > > > Any guess?
> >
> > > > > > Thanks,Rahul
> >
> > > > > > On Apr 29, 9:03 pm,Rahul wrote:
> >
> > > > > > > Taylor,
> >
> > > > > > > I am presently using scribe java library for OAuth and as you
> said
> > > all
> > > > > > > spec compliant libraries the signature base string will only
> > > contain
> > > > > > > POST body parameter so does this one.
> >
> > > > > > > Also I will try to add the header 'Content-Type' to the library
> and
> > > > > > > let you know how it goes.
> >
> > > > > > > Thanks,
> > > > > > >Rahul
> >
> > > > > > > On Apr 29, 5:38 pm, Taylor Singletary <
> > > taylorsinglet...@twitter.com>
> > > > > > > wrote:
> >
> > > > > > > > Whether it matters before creating your signature or not
> depends
> > > > > entirely on
> > > > > > > > the OAuth library you are using. In spec-compliant OAuth
> > > libraries,
> > > > > the
> > > > > > > > signature base string will only contain POST body parameters
> when
> > > > > they are
> > > > > > > > of the application/x-www-form-urlencoded type -- most OAuth
> > > libraries
> > > > > need a
> > > > > > > > way to be instructed on the disposition of the content being
> > > passed
> > > > > as the
> > > > > > > > POST body and a common way is to look at an abstract request
> > > object
> > > > > of s

Re: [twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

2010-05-17 Thread pablo fernandez

Indeed it was solved in version 0.6.6.

Sorry for that Gero!

On Mon, May 17, 2010 at 9:46 AM, Taylor Singletary <
taylorsinglet...@twitter.com> wrote:

> Hi Gero,
>
> This particular issue looked to have been caused by a quirk in the way that
> the Scribe library was encoding spaces. The library has since been updated
> by the author.
>
> However, if you're still having the issue in another implementation, I'll
> be happy to help. Can you share the POST body of the request and your
> signature base string of when you're having the issue?
>
> Taylor Singletary
> Developer Advocate, Twitter
> http://twitter.com/episod
>
>
> On Mon, May 17, 2010 at 12:12 AM, Gero  wrote:
>
>> Hi,
>>
>> Any updates on this issue? I'm running into the same problem and have
>> not yet been able to resolve it.
>>
>> Regards,
>> Gero
>>
>> On May 1, 12:42 am, Taylor Singletary 
>> wrote:
>> > Hi Pablo,
>> >
>> > Thanks for chiming in about Scribe. I'll take a look again soon at
>> Scribe
>> > and see if I can ascertain its potential fault (or our own if that is
>> the
>> > case).
>> >
>> > Keep up the good work on your OAuth library, Pablo! :)
>> >
>> > Taylor Singletary
>> > Developer Advocate, Twitterhttp://twitter.com/episod
>> >
>> > On Fri, Apr 30, 2010 at 3:31 PM, Pablo Fernandez <
>> fernandezpabl...@gmail.com
>> >
>> >
>> >
>> > > wrote:
>> > > Hi Taylor!
>> >
>> > > I believe Rahul is having this problem while using my library (http://
>> > > github.com/fernandezpablo85/scribe)
>> >
>> > > I've tested myself, I'm pretty sure the error lies in my code but I
>> > > can't tell why :S
>> >
>> > > Here's the string that gets signed and the OAuth header in case that
>> > > helps!
>> >
>> > > String to sign >>
>> >
>> > > POST&http%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses
>> > >
>> %2Fupdate.xml&oauth_consumer_key%3D6icbcAXyZx67r8uTAUM5Qw%26oauth_nonce
>> > > %3D32c0b090041a4b233a36590a10c8749e%26oauth_signature_method%3DHMAC-
>> > > SHA1%26oauth_timestamp%3D127248%26oauth_token%3D14654522-
>> > >
>> ayJ064ck0Gtp1ABmjVVxMqd0OcgIG0fMRPFxN00E%26oauth_version%3D1.0%26status
>> > > %3DScribe%2520works.%2520Hell%2520yeah%2521
>> >
>> > > OAuth header >>
>> >
>> > > OAuth oauth_consumer_key="6icbcAXyZx67r8uTAUM5Qw",
>> > > oauth_nonce="32c0b090041a4b233a36590a10c8749e",
>> > > oauth_signature="hmzME2L2qAmzRYOj5P%2BBcja9ECg%3D",
>> > > oauth_signature_method="HMAC-SHA1", oauth_timestamp="127248",
>> > > oauth_token="14654522-ayJ064ck0Gtp1ABmjVVxMqd0OcgIG0fMRPFxN00E",
>> > > oauth_version="1.0"
>> >
>> > > Pablo
>> >
>> > > PS: Kudos for developer.twitter.com. the site rocks!
>> >
>> > > On Apr 30, 3:34 pm, Rahul  wrote:
>> > > > Taylor,
>> >
>> > > > Here you go. I have tried adding the content type as follows.
>> >
>> > > > conn.setRequestProperty("Content-Type", "application/x-www-form-
>> > > > urlencoded");
>> >
>> > > > But this doesn't help at all and i still continue receiving the same
>> > > > error of incorrect signature.
>> >
>> > > > Any guess?
>> >
>> > > > Thanks,Rahul
>> >
>> > > > On Apr 29, 9:03 pm,Rahul wrote:
>> >
>> > > > > Taylor,
>> >
>> > > > > I am presently using scribe java library for OAuth and as you said
>> all
>> > > > > spec compliant libraries the signature base string will only
>> contain
>> > > > > POST body parameter so does this one.
>> >
>> > > > > Also I will try to add the header 'Content-Type' to the library
>> and
>> > > > > let you know how it goes.
>> >
>> > > > > Thanks,
>> > > > >Rahul
>> >
>> > > > > On Apr 29, 5:38 pm, Taylor Singletary <
>> taylorsinglet...@twitter.com>
>> > > > > wrote:
>> >
>> > > > > > Whether it matters before creating your signature or not depends
>> > > entirely on
>> > > > > > the OAuth library you are using. In spec-compliant OAuth
>> libraries,
>> > > the
>> > > > > > signature base string will only contain POST body parameters
>> when
>> > > they are
>> > > > > > of the application/x-www-form-urlencoded type -- most OAuth
>> libraries
>> > > need a
>> > > > > > way to be instructed on the disposition of the content being
>> passed
>> > > as the
>> > > > > > POST body and a common way is to look at an abstract request
>> object
>> > > of some
>> > > > > > kind to determine the type of data being piped in rather than
>> just
>> > > trying to
>> > > > > > guess or simply assuming that POST bodies will always be of the
>> > > URL-encoded
>> > > > > > type. There might be another way to instruct your library on the
>> > > disposition
>> > > > > > of data, but it's likely it'll just assume all POST data
>> provided is
>> > > of the
>> > > > > > URL encoded variety. I don't think you have any issues with your
>> code
>> > > in
>> > > > > > this area today.
>> >
>> > > > > > But as a best practice when dealing with an HTTP-based API of
>> any
>> > > kind, you
>> > > > > > should be sending a Content-Type header whenever POSTing or
>> PUTing
>> > > any kind
>> > > > > > of payload. You don't pass a Content-Type header on a GET
>> because
>> > > there is
>> > > > >

Re: [twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

2010-05-17 Thread Taylor Singletary

Hi Gero,

This particular issue looked to have been caused by a quirk in the way that
the Scribe library was encoding spaces. The library has since been updated
by the author.

However, if you're still having the issue in another implementation, I'll be
happy to help. Can you share the POST body of the request and your signature
base string of when you're having the issue?

Taylor Singletary
Developer Advocate, Twitter
http://twitter.com/episod


On Mon, May 17, 2010 at 12:12 AM, Gero  wrote:

> Hi,
>
> Any updates on this issue? I'm running into the same problem and have
> not yet been able to resolve it.
>
> Regards,
> Gero
>
> On May 1, 12:42 am, Taylor Singletary 
> wrote:
> > Hi Pablo,
> >
> > Thanks for chiming in about Scribe. I'll take a look again soon at Scribe
> > and see if I can ascertain its potential fault (or our own if that is the
> > case).
> >
> > Keep up the good work on your OAuth library, Pablo! :)
> >
> > Taylor Singletary
> > Developer Advocate, Twitterhttp://twitter.com/episod
> >
> > On Fri, Apr 30, 2010 at 3:31 PM, Pablo Fernandez <
> fernandezpabl...@gmail.com
> >
> >
> >
> > > wrote:
> > > Hi Taylor!
> >
> > > I believe Rahul is having this problem while using my library (http://
> > > github.com/fernandezpablo85/scribe)
> >
> > > I've tested myself, I'm pretty sure the error lies in my code but I
> > > can't tell why :S
> >
> > > Here's the string that gets signed and the OAuth header in case that
> > > helps!
> >
> > > String to sign >>
> >
> > > POST&http%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses
> > > %2Fupdate.xml&oauth_consumer_key%3D6icbcAXyZx67r8uTAUM5Qw%26oauth_nonce
> > > %3D32c0b090041a4b233a36590a10c8749e%26oauth_signature_method%3DHMAC-
> > > SHA1%26oauth_timestamp%3D127248%26oauth_token%3D14654522-
> > > ayJ064ck0Gtp1ABmjVVxMqd0OcgIG0fMRPFxN00E%26oauth_version%3D1.0%26status
> > > %3DScribe%2520works.%2520Hell%2520yeah%2521
> >
> > > OAuth header >>
> >
> > > OAuth oauth_consumer_key="6icbcAXyZx67r8uTAUM5Qw",
> > > oauth_nonce="32c0b090041a4b233a36590a10c8749e",
> > > oauth_signature="hmzME2L2qAmzRYOj5P%2BBcja9ECg%3D",
> > > oauth_signature_method="HMAC-SHA1", oauth_timestamp="127248",
> > > oauth_token="14654522-ayJ064ck0Gtp1ABmjVVxMqd0OcgIG0fMRPFxN00E",
> > > oauth_version="1.0"
> >
> > > Pablo
> >
> > > PS: Kudos for developer.twitter.com. the site rocks!
> >
> > > On Apr 30, 3:34 pm, Rahul  wrote:
> > > > Taylor,
> >
> > > > Here you go. I have tried adding the content type as follows.
> >
> > > > conn.setRequestProperty("Content-Type", "application/x-www-form-
> > > > urlencoded");
> >
> > > > But this doesn't help at all and i still continue receiving the same
> > > > error of incorrect signature.
> >
> > > > Any guess?
> >
> > > > Thanks,Rahul
> >
> > > > On Apr 29, 9:03 pm,Rahul wrote:
> >
> > > > > Taylor,
> >
> > > > > I am presently using scribe java library for OAuth and as you said
> all
> > > > > spec compliant libraries the signature base string will only
> contain
> > > > > POST body parameter so does this one.
> >
> > > > > Also I will try to add the header 'Content-Type' to the library and
> > > > > let you know how it goes.
> >
> > > > > Thanks,
> > > > >Rahul
> >
> > > > > On Apr 29, 5:38 pm, Taylor Singletary <
> taylorsinglet...@twitter.com>
> > > > > wrote:
> >
> > > > > > Whether it matters before creating your signature or not depends
> > > entirely on
> > > > > > the OAuth library you are using. In spec-compliant OAuth
> libraries,
> > > the
> > > > > > signature base string will only contain POST body parameters when
> > > they are
> > > > > > of the application/x-www-form-urlencoded type -- most OAuth
> libraries
> > > need a
> > > > > > way to be instructed on the disposition of the content being
> passed
> > > as the
> > > > > > POST body and a common way is to look at an abstract request
> object
> > > of some
> > > > > > kind to determine the type of data being piped in rather than
> just
> > > trying to
> > > > > > guess or simply assuming that POST bodies will always be of the
> > > URL-encoded
> > > > > > type. There might be another way to instruct your library on the
> > > disposition
> > > > > > of data, but it's likely it'll just assume all POST data provided
> is
> > > of the
> > > > > > URL encoded variety. I don't think you have any issues with your
> code
> > > in
> > > > > > this area today.
> >
> > > > > > But as a best practice when dealing with an HTTP-based API of any
> > > kind, you
> > > > > > should be sending a Content-Type header whenever POSTing or
> PUTing
> > > any kind
> > > > > > of payload. You don't pass a Content-Type header on a GET because
> > > there is
> > > > > > no content being sent.
> >
> > > > > > It's likely that your OAuth library automatically sends the
> proper
> > > > > > Content-Type header on the OAuth negotiation steps because those
> > > steps are
> > > > > > required to use URL-encoded POST bodies by the spec.
> >
> > > > > > Taylor Singletary
> > > > > > Developer Advocate, Twitt

Re: [twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

2010-04-30 Thread Taylor Singletary

Hi Pablo,

Thanks for chiming in about Scribe. I'll take a look again soon at Scribe
and see if I can ascertain its potential fault (or our own if that is the
case).

Keep up the good work on your OAuth library, Pablo! :)

Taylor Singletary
Developer Advocate, Twitter
http://twitter.com/episod


On Fri, Apr 30, 2010 at 3:31 PM, Pablo Fernandez  wrote:

> Hi Taylor!
>
> I believe Rahul is having this problem while using my library (http://
> github.com/fernandezpablo85/scribe)
>
> I've tested myself, I'm pretty sure the error lies in my code but I
> can't tell why :S
>
> Here's the string that gets signed and the OAuth header in case that
> helps!
>
> String to sign >>
>
> POST&http%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses
> %2Fupdate.xml&oauth_consumer_key%3D6icbcAXyZx67r8uTAUM5Qw%26oauth_nonce
> %3D32c0b090041a4b233a36590a10c8749e%26oauth_signature_method%3DHMAC-
> SHA1%26oauth_timestamp%3D127248%26oauth_token%3D14654522-
> ayJ064ck0Gtp1ABmjVVxMqd0OcgIG0fMRPFxN00E%26oauth_version%3D1.0%26status
> %3DScribe%2520works.%2520Hell%2520yeah%2521
>
> OAuth header >>
>
> OAuth oauth_consumer_key="6icbcAXyZx67r8uTAUM5Qw",
> oauth_nonce="32c0b090041a4b233a36590a10c8749e",
> oauth_signature="hmzME2L2qAmzRYOj5P%2BBcja9ECg%3D",
> oauth_signature_method="HMAC-SHA1", oauth_timestamp="127248",
> oauth_token="14654522-ayJ064ck0Gtp1ABmjVVxMqd0OcgIG0fMRPFxN00E",
> oauth_version="1.0"
>
> Pablo
>
> PS: Kudos for developer.twitter.com. the site rocks!
>
> On Apr 30, 3:34 pm, Rahul  wrote:
> > Taylor,
> >
> > Here you go. I have tried adding the content type as follows.
> >
> > conn.setRequestProperty("Content-Type", "application/x-www-form-
> > urlencoded");
> >
> > But this doesn't help at all and i still continue receiving the same
> > error of incorrect signature.
> >
> > Any guess?
> >
> > Thanks,Rahul
> >
> > On Apr 29, 9:03 pm,Rahul wrote:
> >
> >
> >
> > > Taylor,
> >
> > > I am presently using scribe java library for OAuth and as you said all
> > > spec compliant libraries the signature base string will only contain
> > > POST body parameter so does this one.
> >
> > > Also I will try to add the header 'Content-Type' to the library and
> > > let you know how it goes.
> >
> > > Thanks,
> > >Rahul
> >
> > > On Apr 29, 5:38 pm, Taylor Singletary 
> > > wrote:
> >
> > > > Whether it matters before creating your signature or not depends
> entirely on
> > > > the OAuth library you are using. In spec-compliant OAuth libraries,
> the
> > > > signature base string will only contain POST body parameters when
> they are
> > > > of the application/x-www-form-urlencoded type -- most OAuth libraries
> need a
> > > > way to be instructed on the disposition of the content being passed
> as the
> > > > POST body and a common way is to look at an abstract request object
> of some
> > > > kind to determine the type of data being piped in rather than just
> trying to
> > > > guess or simply assuming that POST bodies will always be of the
> URL-encoded
> > > > type. There might be another way to instruct your library on the
> disposition
> > > > of data, but it's likely it'll just assume all POST data provided is
> of the
> > > > URL encoded variety. I don't think you have any issues with your code
> in
> > > > this area today.
> >
> > > > But as a best practice when dealing with an HTTP-based API of any
> kind, you
> > > > should be sending a Content-Type header whenever POSTing or PUTing
> any kind
> > > > of payload. You don't pass a Content-Type header on a GET because
> there is
> > > > no content being sent.
> >
> > > > It's likely that your OAuth library automatically sends the proper
> > > > Content-Type header on the OAuth negotiation steps because those
> steps are
> > > > required to use URL-encoded POST bodies by the spec.
> >
> > > > Taylor Singletary
> > > > Developer Advocate, Twitterhttp://twitter.com/episodOnThu, Apr 29,
> 2010 at 2:20 PM,Rahul wrote:
> > > > > So what are trying to say is that i should explicitly add
> Content-type
> > > > > header in the message going out and that too before creating the
> > > > > signature?
> >
> > > > > Thanks,
> > > > >Rahul
> >
> > > > > On Apr 29, 4:58 pm, Taylor Singletary <
> taylorsinglet...@twitter.com>
> > > > > wrote:
> > > > > > Since you're sending a status, you should be setting a
> Content-Type
> > > > > header
> > > > > > to indicate the type of payload -- it's best never to assume that
> a HTTP
> > > > > > server or a HTTP library will know how to understand a payload
> without
> > > > > being
> > > > > > explicitly told what kind of payload that is. The signature might
> be
> > > > > > mis-calculating on the Twitter side due to not including your
> parameters
> > > > > > when constructing it.
> >
> > > > > > Taylor Singletary
> > > > > > Developer Advocate, Twitterhttp://twitter.com/episod
> >
> > > > > > On Thu, Apr 29, 2010 at 1:36 PM,Rahul
> wrote:
> > > > > > > Hello,
> >
> > > > > > > To answer your questions. The following is the body response i
> receive
>

Re: [twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

2010-04-29 Thread Taylor Singletary

Whether it matters before creating your signature or not depends entirely on
the OAuth library you are using. In spec-compliant OAuth libraries, the
signature base string will only contain POST body parameters when they are
of the application/x-www-form-urlencoded type -- most OAuth libraries need a
way to be instructed on the disposition of the content being passed as the
POST body and a common way is to look at an abstract request object of some
kind to determine the type of data being piped in rather than just trying to
guess or simply assuming that POST bodies will always be of the URL-encoded
type. There might be another way to instruct your library on the disposition
of data, but it's likely it'll just assume all POST data provided is of the
URL encoded variety. I don't think you have any issues with your code in
this area today.

But as a best practice when dealing with an HTTP-based API of any kind, you
should be sending a Content-Type header whenever POSTing or PUTing any kind
of payload. You don't pass a Content-Type header on a GET because there is
no content being sent.

It's likely that your OAuth library automatically sends the proper
Content-Type header on the OAuth negotiation steps because those steps are
required to use URL-encoded POST bodies by the spec.

Taylor Singletary
Developer Advocate, Twitter
http://twitter.com/episod


On Thu, Apr 29, 2010 at 2:20 PM, Rahul  wrote:

> So what are trying to say is that i should explicitly add Content-type
> header in the message going out and that too before creating the
> signature?
>
> Thanks,
> Rahul
>
> On Apr 29, 4:58 pm, Taylor Singletary 
> wrote:
> > Since you're sending a status, you should be setting a Content-Type
> header
> > to indicate the type of payload -- it's best never to assume that a HTTP
> > server or a HTTP library will know how to understand a payload without
> being
> > explicitly told what kind of payload that is. The signature might be
> > mis-calculating on the Twitter side due to not including your parameters
> > when constructing it.
> >
> > Taylor Singletary
> > Developer Advocate, Twitterhttp://twitter.com/episod
> >
> >
> >
> > On Thu, Apr 29, 2010 at 1:36 PM, Rahul  wrote:
> > > Hello,
> >
> > > To answer your questions. The following is the body response i receive
> > > back
> >
> > > 
> > > 
> > >  /1/statuses/update.xml
> > >  Incorrect signature
> > > 
> >
> > > Also, I am not setting any content type header at this point & I am
> > > using "POST" only for token negotiation. and have not tried any get
> > > restricted resource yet. I did try some but they seem to be public
> > > timeline etc which seems to be working good.
> >
> > > Any help on this is highly appreciated.
> >
> > > Thanks,
> > > Rahul
> >
> > > On Apr 29, 4:22 pm, Taylor Singletary 
> > > wrote:
> > > > Hi Rahul,
> >
> > > > I'm trying to think of other reasons. We might be throwing the
> invalid
> > > > signature error in a case where the signature is not in fact invalid.
> >
> > > > How about requests are not of the type POST? Have you had a GET
> (other
> > > than
> > > > OAuth token negotiation steps) work for you? When you were doing the
> > > token
> > > > negotiation steps, were you using POSTs or GETs? When performing a
> POST,
> > > are
> > > > you setting your HTTP Content-Type header to
> > > > "application/x-www-form-urlencoded"?
> >
> > > > What's the exact response from the server? There's usually a payload
> > > > included with the response that may give more clarity to the error.
> We
> > > have
> > > > some upcoming enhancements to the OAuth implementation that will
> return
> > > to
> > > > you the "signature base string we calculated" which would be useful
> here
> > > > now..
> >
> > > > Taylor Singletary
> > > > Developer Advocate, Twitterhttp://twitter.com/episod
> >
> > > > On Thu, Apr 29, 2010 at 1:12 PM, Rahul 
> wrote:
> > > > > Taylor,
> >
> > > > > A quick update on this. I tried generating the signature from my
> > > > > library and the page mentioned below they both seems tbe exactly
> the
> > > > > same.
> >
> > > > >
> http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iv-signin.
> > > ..
> >
> > > > > What else can be the reason and how come twitter is responding with
> > > > > Incorrect Signature ?
> >
> > > > > Thanks,
> > > > > Rahul
> >
> > > > > On Apr 29, 1:19 pm, Rahul  wrote:
> > > > > > Taylor,
> >
> > > > > > Thanks for taking a look at it. and to answer your question yes I
> do
> > > > > > pass the status in the signature basetring.
> >
> > > > > > Also below is my string which i pass to the below mentioned
> toSign
> > > > > > variable.
> >
> > > > > > toSign:
> > > > > > POST&https%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses
> > > > > > %2Fupdate.xml&oauth_consumer_key%xxx%26oauth_nonce
> > > > > >
> %3Df2756a360f610d375722ee97e4c2391f%26oauth_signature_method%3DHMAC-
> > > > > > SHA1%26oauth_timestamp%3D1272560943%26oauth_token%3D36554645-
> > > > > > xxx%26oa

Re: [twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

2010-04-29 Thread Taylor Singletary

Since you're sending a status, you should be setting a Content-Type header
to indicate the type of payload -- it's best never to assume that a HTTP
server or a HTTP library will know how to understand a payload without being
explicitly told what kind of payload that is. The signature might be
mis-calculating on the Twitter side due to not including your parameters
when constructing it.

Taylor Singletary
Developer Advocate, Twitter
http://twitter.com/episod


On Thu, Apr 29, 2010 at 1:36 PM, Rahul  wrote:

> Hello,
>
> To answer your questions. The following is the body response i receive
> back
>
> 
> 
>  /1/statuses/update.xml
>  Incorrect signature
> 
>
> Also, I am not setting any content type header at this point & I am
> using "POST" only for token negotiation. and have not tried any get
> restricted resource yet. I did try some but they seem to be public
> timeline etc which seems to be working good.
>
> Any help on this is highly appreciated.
>
> Thanks,
> Rahul
>
> On Apr 29, 4:22 pm, Taylor Singletary 
> wrote:
> > Hi Rahul,
> >
> > I'm trying to think of other reasons. We might be throwing the invalid
> > signature error in a case where the signature is not in fact invalid.
> >
> > How about requests are not of the type POST? Have you had a GET (other
> than
> > OAuth token negotiation steps) work for you? When you were doing the
> token
> > negotiation steps, were you using POSTs or GETs? When performing a POST,
> are
> > you setting your HTTP Content-Type header to
> > "application/x-www-form-urlencoded"?
> >
> > What's the exact response from the server? There's usually a payload
> > included with the response that may give more clarity to the error. We
> have
> > some upcoming enhancements to the OAuth implementation that will return
> to
> > you the "signature base string we calculated" which would be useful here
> > now..
> >
> > Taylor Singletary
> > Developer Advocate, Twitterhttp://twitter.com/episod
> >
> >
> >
> > On Thu, Apr 29, 2010 at 1:12 PM, Rahul  wrote:
> > > Taylor,
> >
> > > A quick update on this. I tried generating the signature from my
> > > library and the page mentioned below they both seems tbe exactly the
> > > same.
> >
> > >http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iv-signin.
> ..
> >
> > > What else can be the reason and how come twitter is responding with
> > > Incorrect Signature ?
> >
> > > Thanks,
> > > Rahul
> >
> > > On Apr 29, 1:19 pm, Rahul  wrote:
> > > > Taylor,
> >
> > > > Thanks for taking a look at it. and to answer your question yes I do
> > > > pass the status in the signature basetring.
> >
> > > > Also below is my string which i pass to the below mentioned toSign
> > > > variable.
> >
> > > > toSign:
> > > > POST&https%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses
> > > > %2Fupdate.xml&oauth_consumer_key%xxx%26oauth_nonce
> > > > %3Df2756a360f610d375722ee97e4c2391f%26oauth_signature_method%3DHMAC-
> > > > SHA1%26oauth_timestamp%3D1272560943%26oauth_token%3D36554645-
> > > > xxx%26oauth_version%3D1.0%26status
> > > > %3Dhurray
> >
> > > > Mac mac = Mac.getInstance(HMAC_SHA1);
> > > > mac.init(key);
> > > > byte[] bytes = mac.doFinal(toSign.getBytes(UTF8));
> >
> > > > and in the key i pass: consumerSecret + '&' + tokenSecret
> >
> > > > Thanks,
> > > > Rahul
> >
> > > > On Apr 29, 12:46 pm, Taylor Singletary  >
> > > > wrote:
> >
> > > > > Hi Rahul,
> >
> > > > > When you are POSTing to statuses/update.xml -- are you including
> the
> > > status
> > > > > that you are posting in your signature base string? As a
> URL-encoded
> > > > > parameter, it should be included in both your POST body and the
> > > signature
> > > > > base string (but not in the HTTP authorization header).
> >
> > > > > Taylor Singletary
> > > > > Developer Advocate, Twitterhttp://twitter.com/episod
> >
> > > > > On Thu, Apr 29, 2010 at 9:35 AM, Rahul 
> wrote:
> > > > > > Folks,
> >
> > > > > > I have been trying this and have already spent lot of time on
> this
> > > but
> > > > > > what i don't understand is how is getting the access token
> working
> > > and
> > > > > > post to update is not working when i am using the same signature
> > > > > > generation method for both the requests.
> >
> > > > > > Here is my complete scenario.
> > > > > > 1. fetch the request token
> > > > > > 2. redirect the user to the authurize page
> > > > > > 3. get the verifier from the new called back url
> > > > > > 4. getting the access token by passing oauth_token and
> auth_verifier
> > > > > > 5. create a new post request for update and sign the request with
> > > > > > HMAC.sign(toSign, consumerSecret + '&' + tokenSecret)
> > > > > >   Note: toSign is the request with the following headers :
> > > > > > oauth_timestamp, oauth_signature_method, oauth_version,
> oauth_nonce,
> > > > > > oauth_consumer_key
> > > > > > 6. Send the request.
> >
> > > > > > Also if helpfull, i am using following values
> > > > > > oauth_nonce=MD5.h

Re: [twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

2010-04-29 Thread Taylor Singletary

Hi Rahul,

I'm trying to think of other reasons. We might be throwing the invalid
signature error in a case where the signature is not in fact invalid.

How about requests are not of the type POST? Have you had a GET (other than
OAuth token negotiation steps) work for you? When you were doing the token
negotiation steps, were you using POSTs or GETs? When performing a POST, are
you setting your HTTP Content-Type header to
"application/x-www-form-urlencoded"?

What's the exact response from the server? There's usually a payload
included with the response that may give more clarity to the error. We have
some upcoming enhancements to the OAuth implementation that will return to
you the "signature base string we calculated" which would be useful here
now..


Taylor Singletary
Developer Advocate, Twitter
http://twitter.com/episod


On Thu, Apr 29, 2010 at 1:12 PM, Rahul  wrote:

> Taylor,
>
> A quick update on this. I tried generating the signature from my
> library and the page mentioned below they both seems tbe exactly the
> same.
>
>
> http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iv-signing-requests/
>
> What else can be the reason and how come twitter is responding with
> Incorrect Signature ?
>
> Thanks,
> Rahul
>
> On Apr 29, 1:19 pm, Rahul  wrote:
> > Taylor,
> >
> > Thanks for taking a look at it. and to answer your question yes I do
> > pass the status in the signature basetring.
> >
> > Also below is my string which i pass to the below mentioned toSign
> > variable.
> >
> > toSign:
> > POST&https%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses
> > %2Fupdate.xml&oauth_consumer_key%xxx%26oauth_nonce
> > %3Df2756a360f610d375722ee97e4c2391f%26oauth_signature_method%3DHMAC-
> > SHA1%26oauth_timestamp%3D1272560943%26oauth_token%3D36554645-
> > xxx%26oauth_version%3D1.0%26status
> > %3Dhurray
> >
> > Mac mac = Mac.getInstance(HMAC_SHA1);
> > mac.init(key);
> > byte[] bytes = mac.doFinal(toSign.getBytes(UTF8));
> >
> > and in the key i pass: consumerSecret + '&' + tokenSecret
> >
> > Thanks,
> > Rahul
> >
> > On Apr 29, 12:46 pm, Taylor Singletary 
> > wrote:
> >
> >
> >
> > > Hi Rahul,
> >
> > > When you are POSTing to statuses/update.xml -- are you including the
> status
> > > that you are posting in your signature base string? As a URL-encoded
> > > parameter, it should be included in both your POST body and the
> signature
> > > base string (but not in the HTTP authorization header).
> >
> > > Taylor Singletary
> > > Developer Advocate, Twitterhttp://twitter.com/episod
> >
> > > On Thu, Apr 29, 2010 at 9:35 AM, Rahul  wrote:
> > > > Folks,
> >
> > > > I have been trying this and have already spent lot of time on this
> but
> > > > what i don't understand is how is getting the access token working
> and
> > > > post to update is not working when i am using the same signature
> > > > generation method for both the requests.
> >
> > > > Here is my complete scenario.
> > > > 1. fetch the request token
> > > > 2. redirect the user to the authurize page
> > > > 3. get the verifier from the new called back url
> > > > 4. getting the access token by passing oauth_token and auth_verifier
> > > > 5. create a new post request for update and sign the request with
> > > > HMAC.sign(toSign, consumerSecret + '&' + tokenSecret)
> > > >   Note: toSign is the request with the following headers :
> > > > oauth_timestamp, oauth_signature_method, oauth_version, oauth_nonce,
> > > > oauth_consumer_key
> > > > 6. Send the request.
> >
> > > > Also if helpfull, i am using following values
> > > > oauth_nonce=MD5.hexHash(getTimestampInSeconds())
> > > > oauth_signature_method=HMAC-SHA1
> > > > oauth_version=1.0
> >
> > > > I have verified most of the things and looks good to me, also there
> is
> > > > very less possibility of generating wrong signature as I have used
> the
> > > > same signature to get the access token and was able to successfully
> > > > receive it.
> >
> > > > Any pointers highly appreciated.
> >
> > > > Thanks,
> > > > Rahul
>

Re: [twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

Re: [twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

Re: [twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

Re: [twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

Re: [twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

Re: [twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

Re: [twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

Re: [twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

Re: [twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

Re: [twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

Re: [twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

Re: [twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

Re: [twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

13 matches

Site Navigation

Mail list logo

Footer information