Nevermind, jmathai helped me out. Turns out I needed to add the $data information to the signature string and also double encode the spaces.
Thanks for your help! On Apr 14, 10:52 pm, Dimebrain <[email protected]> wrote: > Hi Matt, > > Thanks for replying. I had already tried the approach of using the > source=test with the signatureBase without success, I still receive401'sfor > allPOSTcalls, but GETs work fine. I'm suspecting that .NET > itself is doing something that perhaps other libraries don't. I'll > keep trying some things, including maybe just opening a socket and > building an HTTP message myself to trace back steps, but just to > confirm: > > - The encoding of x-www-form-urlencoded is not the same escaping > algorithm as URIs (too lazy to look up RFC numbers), so it should be > OK for thePOSTparams to use + for spaces and the signatureBase to > use %20's for spaces, which is the technically correct way. > > - Do you know if other libraries, in general, look at aPOSTrequest, > chop of the URI query, and send that aspostparameters after the > initial request data? > > Daniel > > On Apr 14, 1:55 pm, Matt Sanford <[email protected]> wrote: > > > Hi Daniel, > > > While working through issue 433 [1] we've discussed signatures > > pretty in-depth. This is an unrelated problem but I think you'll find > > the discussion about signatures there helpful, as it has several > > examples. The short-short answer is: > > > • The string you sign should have the status=testing parameter > > appended, like: > > > POST&http%3A%2F%2Ftwitter.com%2Fstatuses > > %2Fupdate.xml&oauth_consumer_key%3Dw9zJ2JxgWTsJN5OyEHIZjw%26oauth_nonce > > %3Ddudialjpcnn4p355%26oauth_signature_method%3DHMAC- > > SHA1%26oauth_timestamp%3D1239673686%26oauth_token%3D11173402- > > LxhEcmKGl2zKjsbuBE0tdt4UBAxHoR1LFfrs5tTo4%26oauth_version > > %3D1.00%26status%3Dtesting > > > • When you make the request the URL should > > behttp://twitter.com/statuses/update.xml > > and the status=testing parameter should be in the body, like a > > normal x-www-form-urlencodedPOST. > > > Thanks; > > — Matt Sanford / @mzsanford > > > [1] -http://code.google.com/p/twitter-api/issues/detail?id=433 > > > On Apr 14, 2009, at 09:28 AM, Dimebrain wrote: > > > > Hello, > > > > I originally commented on issue thread 447 but that issue was closed, > > > so I wanted to repost my problem to see if it's something I'm doing > > > wrong on my side. > > > > I am still failing, but using C# / .NET and a self-authored OAuth > > > implementation. > > > > My GET calls work correctly, myPOSTcalls401. > > > > Here is the URI: > > >http://twitter.com/statuses/update.xml?status=testing > > > > Here is my signature base string: > > > POST&http%3A%2F%2Ftwitter.com%2Fstatuses > > > %2Fupdate.xml&oauth_consumer_key%3Dw9zJ2JxgWTsJN5OyEHIZjw > > > %26oauth_nonce > > > %3Ddudialjpcnn4p355%26oauth_signature_method%3DHMAC- > > > SHA1%26oauth_timestamp%3D1239673686%26oauth_token%3D11173402- > > > LxhEcmKGl2zKjsbuBE0tdt4UBAxHoR1LFfrs5tTo4%26oauth_version%3D1.0 > > > > And the signature (url encoded): > > > E0UkQEmfcaT3DOG7a8L7sImCmVw%3D > > > > And the authorization header: > > > OAuth > > > oauth_consumer_key="w9zJ2JxgWTsJN5OyEHIZjw",oauth_token="11173402- > > > LxhEcmKGl2zKjsbuBE0tdt4UBAxHoR1LFfrs5tTo4 > > > ",oauth_nonce > > > = > > > "dudialjpcnn4p355 > > > ",oauth_timestamp="1239673686",oauth_signature_method="HMAC- > > > SHA1",oauth_signature="E0UkQEmfcaT3DOG7a8L7sImCmVw > > > %3D",oauth_version="1.0" > > > > And the request header out the door: > > > >POST/statuses/update.xml?status=testing HTTP/1.1 > > > Content-Type: application/x-www-form-urlencoded > > > Authorization: <as above> > > > Host: twitter.com > > > > - I've also tried including "status=testing" in the list ofpost > > > parameters included > > > in the signature hashing. I'm not clear on whether it's expected to > > > exist there b/c > > > of the normalization done to the URI during signature hashing, i.e. > > > otherwise it > > > would only exist on thePOSTitself and not in the signature > > > > I wonder if someone could clarify a point aboutPOSTwith status=X, > > > and that is, when preparing aPOSTwith the default W3C application/x- > > > www-form-urlencoded content type, are we supposed to: > > > > a) remove the status=X line from the URI query, and instead write it > > > to the request asPOSTparameters (and therefore include status=X in > > > the signature base string as per OAuth 1.0), or > > > > b) keep the status=X in the URI itself, and only including other > > > parameters in thePOSTparameters. > > > > I think what might be happening is that .NET treats the Query fragment > > > of a URI aspostparameters, and maybe all approaches with > > > application/ > > > x-www-form-urlencoded do; in other words it's not really a query as > > > per a GET call, it's just the absolute uri path, and then all query > > > params are added to the signature base and written in thePOSTmessage > > > ---> with different URL escaping than a URI (i.e. +'s are part of the > > >POSTencoding spec as opposed to %20's that are part of the URI > > > encoding spec). > > > > See, maybe you can'tPOSTbecause you use %20's in the sig base but > > > +'s in thePOSTparams, which is actually according to the spec. > > > > I'd love to know if anyone has some insight into this problem. The > > > inability toPOSTw/ OAuth on Twitter is effecting everyone that uses > > > my library. > > > > Daniel
