Hi Daniel,
While working through issue 433 [1] we've discussed signatures
pretty in-depth. This is an unrelated problem but I think you'll find
the discussion about signatures there helpful, as it has several
examples. The short-short answer is:
• The string you sign should have the status=testing parameter
appended, like:
POST&http%3A%2F%2Ftwitter.com%2Fstatuses
%2Fupdate.xml&oauth_consumer_key%3Dw9zJ2JxgWTsJN5OyEHIZjw%26oauth_nonce
%3Ddudialjpcnn4p355%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1239673686%26oauth_token%3D11173402-
LxhEcmKGl2zKjsbuBE0tdt4UBAxHoR1LFfrs5tTo4%26oauth_version
%3D1.00%26status%3Dtesting
• When you make the request the URL should be http://twitter.com/statuses/update.xml
and the status=testing parameter should be in the body, like a
normal x-www-form-urlencoded POST.
Thanks;
� — Matt Sanford / @mzsanford
[1] - http://code.google.com/p/twitter-api/issues/detail?id=433
On Apr 14, 2009, at 09:28 AM, Dimebrain wrote:
Hello,
I originally commented on issue thread 447 but that issue was closed,
so I wanted to repost my problem to see if it's something I'm doing
wrong on my side.
I am still failing, but using C# / .NET and a self-authored OAuth
implementation.
My GET calls work correctly, my POST calls 401.
Here is the URI:
http://twitter.com/statuses/update.xml?status=testing
Here is my signature base string:
POST&http%3A%2F%2Ftwitter.com%2Fstatuses
%2Fupdate.xml&oauth_consumer_key%3Dw9zJ2JxgWTsJN5OyEHIZjw
%26oauth_nonce
%3Ddudialjpcnn4p355%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1239673686%26oauth_token%3D11173402-
LxhEcmKGl2zKjsbuBE0tdt4UBAxHoR1LFfrs5tTo4%26oauth_version%3D1.0
And the signature (url encoded):
E0UkQEmfcaT3DOG7a8L7sImCmVw%3D
And the authorization header:
OAuth
oauth_consumer_key="w9zJ2JxgWTsJN5OyEHIZjw",oauth_token="11173402-
LxhEcmKGl2zKjsbuBE0tdt4UBAxHoR1LFfrs5tTo4
",oauth_nonce
=
"dudialjpcnn4p355
",oauth_timestamp="1239673686",oauth_signature_method="HMAC-
SHA1",oauth_signature="E0UkQEmfcaT3DOG7a8L7sImCmVw
%3D",oauth_version="1.0"
And the request header out the door:
POST /statuses/update.xml?status=testing HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: <as above>
Host: twitter.com
- I've also tried including "status=testing" in the list of post
parameters included
in the signature hashing. I'm not clear on whether it's expected to
exist there b/c
of the normalization done to the URI during signature hashing, i.e.
otherwise it
would only exist on the POST itself and not in the signature
I wonder if someone could clarify a point about POST with status=X,
and that is, when preparing a POST with the default W3C application/x-
www-form-urlencoded content type, are we supposed to:
a) remove the status=X line from the URI query, and instead write it
to the request as POST parameters (and therefore include status=X in
the signature base string as per OAuth 1.0), or
b) keep the status=X in the URI itself, and only including other
parameters in the POST parameters.
I think what might be happening is that .NET treats the Query fragment
of a URI as post parameters, and maybe all approaches with
application/
x-www-form-urlencoded do; in other words it's not really a query as
per a GET call, it's just the absolute uri path, and then all query
params are added to the signature base and written in the POST message
---> with different URL escaping than a URI (i.e. +'s are part of the
POST encoding spec as opposed to %20's that are part of the URI
encoding spec).
See, maybe you can't POST because you use %20's in the sig base but
+'s in the POST params, which is actually according to the spec.
I'd love to know if anyone has some insight into this problem. The
inability to POST w/ OAuth on Twitter is effecting everyone that uses
my library.
Daniel
