On 8/18/10 12:11 AM, Olu wrote:
> I'm trying to implement Twitter XAuth for my application. My
> application has already been registered and approved for XAuth
> privileges. However, the documentation mentions that I need to include
> a "nonce" or "token secret" when authenticating. What is this? I have
> no idea what the nonce or token secret is and how to generate/get
> one.
>
> Also, if anyone else can verify how if the code I'm writing to
> generate the signing secret is correct.
>
> $signature = base64_encode(hash_hmac('sha1', $baseString,
> $oauth_consumer_secret.'&'.$token_secret, true));
>
> where $baseString is the signature base, $oauth_consumer_secret is
> self-explanatory and $token_secret is the token secret(whatever that
> is).
>
> I'm actually able to send a request to twitter but I always get the
> same response "Failed to validate oauth signature and token".
>
> My php code is below. It'll be helpful if someone can help me out with
> this as I've been trying to get this to work for a while now. Thanks!
>
>
>
>
>
>
> <?
>
> $oauth_consumer_key = "XXX";
> $oauth_consumer_secret = "YYY";
> $oauth_nonce = ???;
> $oauth_signature_method = "HMAC-SHA1";
> $oauth_timestamp = time();
> $oauth_version = "1.0";
> $x_auth_mode = "client_auth";
> $x_auth_password = "AAAA";
> $x_auth_username = "BBBB";
> $token_secret = "????";
>
> $baseString = "https://api.twitter.com/oauth/access_token"; .
> "&oauth_consumer_key=" .urlencode($oauth_consumer_key) .
> "&oauth_nonce=" . urlencode($oauth_nonce) .
> "&oauth_signature_method=" . urlencode($oauth_signature_method) .
> "&oauth_timestamp=" . urlencode($oauth_timestamp) .
> "&oauth_version=" . urlencode($oauth_version) . "&x_auth_mode=" .
> urlencode($x_auth_mode) . "&x_auth_password=" .
> urlencode($x_auth_password) . "&x_auth_username=" .
> urlencode($x_auth_username);
> $baseString = "POST&" . urlencode($a);
>
> $post = "x_auth_mode=client_auth&x_auth_password=" .
> urlencode($x_auth_password) . "&x_auth_username=" .
> urlencode(x_auth_username);
>
> $signature = base64_encode(hash_hmac('sha1', $baseString,
> $oauth_consumer_secret.'&'.$token_secret, true));
>
>
> $auth = "OAuth oauth_nonce=\"" . $oauth_nonce . "\",
> oauth_signature_method=\"" . $oauth_signature_method . "\",
> oauth_timestamp=\"" . $oauth_timestamp . "\", oauth_consumer_key=\"" .
> $oauth_consumer_key . "\", oauth_signature=\"" .
> urlencode($signature) ."\", oauth_version=\"" . $oauth_version . "\"";
>
>
> $ch = curl_init("https://api.twitter.com/oauth/access_token";);
> curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
> curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
> curl_setopt($ch, CURLOPT_HTTPHEADER, array("Expect: ", "Authorization:
> $auth"));
> curl_setopt($ch, CURLOPT_POST, true);
> curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
>
> $b = curl_exec($ch);
> var_dump($b);
>
> curl_close($ch);
>
>
>
>
> ?>
>
Hi,
I love quoting the OAuth RFC, so here I go :
A nonce is a random string, uniquely generated by the client to allow
the server to verify that a request has never been made before and
helps prevent replay attacks when requests are made over a non-secure
channel. The nonce value MUST be unique across all requests with the
same timestamp, client credentials, and token combinations.
Your code to generate the signature is fine.
As far as I know, the PHP urlencode() is not sufficient. You should use
rawurlencode() and then decode the ~ (and some other character, but to
be honest, I forgot).
The URL in your base string must not include query parameters. The query
parameters go in the third part of the Base String, together with the
post body.
The token/secret are not needed for xAuth. Simply leave them blank.
Tom
