I dont think you got my point. Whether you were signing using both secrets or one secret doesnt matter because twitter wasnt verifying signature at all. Now they have fixed this and all your protected service requests must be signed by both secrets. My problem is how to protect the consumer secret. Looks like i cant protect it as this is the case with desktop clients using oauth
On Tue, Jul 28, 2009 at 6:30 PM, Duane Roelands <duane.roela...@gmail.com>wrote: > > I've been using both consumer keys to sign all of my requests from day > one. > > I still think the issue is related to URL encoding somehow, because I > can successfully post tweets if they don't contain troublesome > characters (apostrophe, for example). > > But, so long as Twitter remains silent, we'll never know. > > On Jul 25, 7:37 am, srikanth yaradla <srikanth.yara...@gmail.com> > wrote: > > Hi > > I am newbie and i need clarification for the following > > > > 1)OAuth 1.0 specification says "All Token requests and Protected > > Resources requests MUST be signed by theConsumer" > > > > But twitter doesnt seem to verify the signature for all requests. I > > found out that signing the request byconsumersecretis required only > > for generating request token and requestsecret. > > But for subsequent requestsconsumersecretis not required. ex > > requesting access tokens or any protected resource (ex fetch direct > > messages). Is this desired behavior?. > > Does twitter verify the signature at all for protected resource > > requests? (i verified with blankconsumersecretwhich means the > > request is signed only by accesssecret) Or Am i missing something? > > > > 2) i am planning to write a desktop application. To protect > theconsumersecreti am trying to introduce a proxy which generates the > > request tokens/secrets, access tokens/secrets. Ifconsumersecretis > > not required for signing protected resource requests this setup would > > work fine with me. > > But the OAuth specification says you require both > accesssecretandconsumersecretto sign the request > > http://oauth.net/core/1.0/#anchor30 > > > > Experienced devs please clarify. > > > > Regards > > Srikanth >
