Hi Matt, Thanks for replying. I had already tried the approach of using the source=test with the signatureBase without success, I still receive 401's for all POST calls, but GETs work fine. I'm suspecting that .NET itself is doing something that perhaps other libraries don't. I'll keep trying some things, including maybe just opening a socket and building an HTTP message myself to trace back steps, but just to confirm:
- The encoding of x-www-form-urlencoded is not the same escaping algorithm as URIs (too lazy to look up RFC numbers), so it should be OK for the POST params to use + for spaces and the signatureBase to use %20's for spaces, which is the technically correct way. - Do you know if other libraries, in general, look at a POST request, chop of the URI query, and send that as post parameters after the initial request data? Daniel On Apr 14, 1:55 pm, Matt Sanford <[email protected]> wrote: > Hi Daniel, > > While working through issue 433 [1] we've discussed signatures > pretty in-depth. This is an unrelated problem but I think you'll find > the discussion about signatures there helpful, as it has several > examples. The short-short answer is: > > • The string you sign should have the status=testing parameter > appended, like: > > POST&http%3A%2F%2Ftwitter.com%2Fstatuses > %2Fupdate.xml&oauth_consumer_key%3Dw9zJ2JxgWTsJN5OyEHIZjw%26oauth_nonce > %3Ddudialjpcnn4p355%26oauth_signature_method%3DHMAC- > SHA1%26oauth_timestamp%3D1239673686%26oauth_token%3D11173402- > LxhEcmKGl2zKjsbuBE0tdt4UBAxHoR1LFfrs5tTo4%26oauth_version > %3D1.00%26status%3Dtesting > > • When you make the request the URL should > behttp://twitter.com/statuses/update.xml > and the status=testing parameter should be in the body, like a > normal x-www-form-urlencoded POST. > > Thanks; > — Matt Sanford / @mzsanford > > [1] -http://code.google.com/p/twitter-api/issues/detail?id=433 > > On Apr 14, 2009, at 09:28 AM, Dimebrain wrote: > > > > > Hello, > > > I originally commented on issue thread 447 but that issue was closed, > > so I wanted to repost my problem to see if it's something I'm doing > > wrong on my side. > > > I am still failing, but using C# / .NET and a self-authored OAuth > > implementation. > > > My GET calls work correctly, my POST calls 401. > > > Here is the URI: > >http://twitter.com/statuses/update.xml?status=testing > > > Here is my signature base string: > > POST&http%3A%2F%2Ftwitter.com%2Fstatuses > > %2Fupdate.xml&oauth_consumer_key%3Dw9zJ2JxgWTsJN5OyEHIZjw > > %26oauth_nonce > > %3Ddudialjpcnn4p355%26oauth_signature_method%3DHMAC- > > SHA1%26oauth_timestamp%3D1239673686%26oauth_token%3D11173402- > > LxhEcmKGl2zKjsbuBE0tdt4UBAxHoR1LFfrs5tTo4%26oauth_version%3D1.0 > > > And the signature (url encoded): > > E0UkQEmfcaT3DOG7a8L7sImCmVw%3D > > > And the authorization header: > > OAuth > > oauth_consumer_key="w9zJ2JxgWTsJN5OyEHIZjw",oauth_token="11173402- > > LxhEcmKGl2zKjsbuBE0tdt4UBAxHoR1LFfrs5tTo4 > > ",oauth_nonce > > = > > "dudialjpcnn4p355 > > ",oauth_timestamp="1239673686",oauth_signature_method="HMAC- > > SHA1",oauth_signature="E0UkQEmfcaT3DOG7a8L7sImCmVw > > %3D",oauth_version="1.0" > > > And the request header out the door: > > > POST /statuses/update.xml?status=testing HTTP/1.1 > > Content-Type: application/x-www-form-urlencoded > > Authorization: <as above> > > Host: twitter.com > > > - I've also tried including "status=testing" in the list of post > > parameters included > > in the signature hashing. I'm not clear on whether it's expected to > > exist there b/c > > of the normalization done to the URI during signature hashing, i.e. > > otherwise it > > would only exist on the POST itself and not in the signature > > > I wonder if someone could clarify a point about POST with status=X, > > and that is, when preparing a POST with the default W3C application/x- > > www-form-urlencoded content type, are we supposed to: > > > a) remove the status=X line from the URI query, and instead write it > > to the request as POST parameters (and therefore include status=X in > > the signature base string as per OAuth 1.0), or > > > b) keep the status=X in the URI itself, and only including other > > parameters in the POST parameters. > > > I think what might be happening is that .NET treats the Query fragment > > of a URI as post parameters, and maybe all approaches with > > application/ > > x-www-form-urlencoded do; in other words it's not really a query as > > per a GET call, it's just the absolute uri path, and then all query > > params are added to the signature base and written in the POST message > > ---> with different URL escaping than a URI (i.e. +'s are part of the > > POST encoding spec as opposed to %20's that are part of the URI > > encoding spec). > > > See, maybe you can't POST because you use %20's in the sig base but > > +'s in the POST params, which is actually according to the spec. > > > I'd love to know if anyone has some insight into this problem. The > > inability to POST w/ OAuth on Twitter is effecting everyone that uses > > my library. > > > Daniel
