Hi Thom, I like your approach. I think there are two things possibly wrong in your implementation.
The first: Your signing key needs to have the "&" character at the end, even when there's no additional oauth_token_secret in the request. Instead, of your signing key being "MCD8BKwGdgPHvAuvgvz4EQpqDAtx89grbuNMRd7Eh98" it should be "MCD8BKwGdgPHvAuvgvz4EQpqDAtx89grbuNMRd7Eh98&" (this part is mentioned as part of the examples in this section on our auth document) The second: One detail I may have omitted in the documentation that might be key for you here is the following snippet from the OAuth specification: oauth_signature is set to S, first base64-encoded per [RFC2045] (Freed, N. and N. Borenstein, “Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies,” .) <http://oauth.net/core/1.0a/#RFC2045>section 6.8, then URL-encoded per Parameter Encoding (Parameter Encoding)<http://oauth.net/core/1.0a/#encoding_parameters> . Hope this helps! The second point of information is often a non-relevant, but it's good to keep in mind. Taylor Singletary Developer Advocate, Twitter http://twitter.com/episod On Thu, Apr 29, 2010 at 8:56 AM, Thom Nichols <tmnich...@gmail.com> wrote: > So I'm trying to implement an OAuth consumer* and running into some > trouble. As a sanity check I'm trying to replicate the example > provided in the dev documentation (http://dev.twitter.com/pages/ > auth#request-token). I'm stuck when generating the signature for the > request. That is, if I use the example parameters and example secret > key, the signature in the example doesn't match the signature I'm > generating. So I took another step back to see if I can use the > net.oauth Java implementation, and _that_ doesn't create a signature > matching what's in the example either! So either I'm doing something > painfully wrong or the Twitter documentation is incorrect. > > If I take the 'base string' in the documentation and try to sign it > with the 'signing key' from the example, it's only a couple lines of > Groovy to use the net.oauth API: > > import net.oauth.signature.HMAC_SHA1 > > // string from the example > def str = 'POST&https%3A%2F%2Fapi.twitter.com%2Foauth > %2Frequest_token&oauth_callback%3Dhttp%253A%252F%252Flocalhost > %253A3005%252Fthe_dance%252Fprocess_callback%253Fservice_provider_id > %253D11%26oauth_consumer_key%3DGDdmIQH6jhtmLUypg82g%26oauth_nonce > %3DQP70eNmVz8jvdPevU3oJD2AfF7R7odC2XJcn4XlZJqk%26oauth_signature_method > %3DHMAC_SHA1%26oauth_timestamp%3D1272323042%26oauth_version%3D1.0' > > // use the consumer secret from the example: > def hmac = new > HMAC_SHA1(consumerSecret:'MCD8BKwGdgPHvAuvgvz4EQpqDAtx89grbuNMRd7Eh98') > > > println hmac.getSignature(str) > // prints 'cz+LlAuzclTvE2YQiNogw3dC4yo= > // Example gives: 8wUi7m5HFQy76nowoCThusfgB+Q= > > Any ideas? Let me reiterate -- I know i can't use the example secret > key & parameters in my own code... I'm trying to use some 'known > constant' to verify that at least I'm performing the hash operation > correctly. My _real_ code uses javax.crypto.Mac similar to what's > being done by net.oauth...HMAC_SHA1. You can see the code here: > > http://oauth.googlecode.com/svn/code/java/core/commons/src/main/java/net/oauth/signature/HMAC_SHA1.java > > So my theory is, either the Twitter documentation is wrong and I > shouldn't trust it as a basis for implementing my own oauth consumer > code, or there's some problem with how javax.crypto.Mac is being > used... Or I'm doing something else totally idiotic. Any ideas? > > Thanks. > > > > * partially as just an academic exercise, I know there are other OAuth > implementations for Java. So please don't ask "why don't you just use > Twitter4j or OAuth library ____?" :) >