Howdy all, Thanks to all your help, I was able to get my token methods working. However, now that I've tried to set up my client to post its first message, I'm getting a 401 again. Here's the TCP trace from Wireshark:
POST /statuses/update.xml HTTP/1.1 Authorization: OAuth realm="OAuth",oauth_consumer_key="9CCTnLpstYI8RIxGE7yhQ",oauth_nonce="LDhXkR",oauth_timestamp="1245124830",oauth_verifier="115975",oauth_signature="W7XmRZBaLA4AIhbhGwPYkFPJnOY%3D",oauth_token="47493262-GOzBr4mQt6u5xp4S40Rvj8jQnU3TIhVw66NSOhNlF",oauth_signature_method="HMAC-SHA1",oauth_version="1.0a" User-Agent: Java/1.5.0 Host: twitter.com Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Content-type: application/x-www-form-urlencoded Content-Length: 69 status=This%20is%20my%20first%20twimblr%20test%20EVER%201245124830500 HTTP/1.1 401 Unauthorized Date: Tue, 16 Jun 2009 04:00:37 GMT Server: hi Status: 401 Unauthorized Cache-Control: no-cache, max-age=300 Content-Type: text/html; charset=utf-8 Content-Length: 43 Set-Cookie: _twitter_sess=BAh7BiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7AA%253D%253D--1164b91ac812d853b877e93ddb612b7471bebc74; domain=.twitter.com; path=/ Expires: Tue, 16 Jun 2009 04:05:37 GMT Vary: Accept-Encoding Connection: close Failed to validate oauth signature or token *(note: there are no bytes, endline or anything, after the "status" variable) *Here's my Signature Base String: * POST&http%3A%2F%2Ftwitter.com%2Fstatuses%2Fupdate.xml&oauth_consumer_key%3D9CCTnLpstYI8RIxGE7yhQ%26oauth_nonce%3DLDhXkR%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1245124830%26oauth_token%3D47493262-GOzBr4mQt6u5xp4S40Rvj8jQnU3TIhVw66NSOhNlF%26oauth_verifier%3D115975%26oauth_version%3D1.0a%26status%3DThis%20is%20my%20first%20twimblr%20test%20EVER%201245124830500 *My question(s) for you: 0. Does anyone see anything blatantly wrong (I suppose a yes to this would obviate answering any of the next questions)? 1. Should I be including the oauth_verifier in the signature base string and OAuth header? I've tried it with and without, and seem to get the 401 either way. 2. Should the "status" variable be included in the OAuth header? The way I'm reading the spec, I don't think so, but I wanted to confirm. 3. Should the "status" line in the POST request be encoded per the OAuth spec or via URL encoding (that is, should spaces be encoded as "+" or "%20")? Thanks! -- Internets. Serious business.
