I'm developing yet another API binding based on the MsXml2.XmlHttp
class (aka XMLHttpRequest in AJAX for IE), it's an API for desktop

I use the workflow described in http://apiwiki.twitter.com/Sign-in-with-Twitter
to authenticate via OAuth with PIN. All works fine up to retrieving
the final Access-Token:

a) http://twitter.com/oauth/request_token
=> returns oauth_token and oauth_token_secret,
oauth_callback_confirmed=true (OK)

b) http://twitter.com/oauth/authorize?oauth_callback=oob&oauth_token=...
=> login dialog, finally getting a PIN (OK)

c) http://twitter.com/oauth/access_token (with pin)
=> returns oauth_token, oauth_token_secret, userid and screenname (OK)

Afterward for all further requests I send with the access token I get
a response of 401 Unauthorized.

Server: hi
WWW-Authenticate: Basic realm="Twitter API"
Status: 401 Unauthorized

And in the body the error message "Incorrect signature"

Also MsXml2.XmlHttp is popping up a login dialog for Basic Auth.

The signature is fine and computed using the exact same way and code I
used in all the previous three working requests. I triple checked my
signing code, which uses a DLL for HMAC-SHA1 signing. I sign all
parameters sorted alphabetical and encoded correcty (I could post an
example, if you don't trust me on this), so what am I really missing?

I used Wireshark and sniffed HTTP packets of another client using
OAuth. From that I found it's sending the PIN (oauth_verifier) not
only in the request of the access_token, but also in all further

That didn't help

from the  WWW-Authenticate response header I assume the Authenticate
header is non optional in requests.
I already tried adding one via the SetRequestHeader method of the
MsXml2.XmlHttp class.

That didn't worked out.

Besides being dissatisfied with the misleading error, is it true, that
twitter requires the Authenticate Header? I wonder why. Section 5.4.
of the OAuth Code 1.0 - "OAuth HTTP Authorization Scheme" says:

"It is RECOMMENDED that Service Providers accept the HTTP
Authorization header. Consumers SHOULD be able to send OAuth Protocol
Parameters in the OAuth Authorization header."

But that does not mean an OAuth service provider MUST require this
header -- it only SHOULD support requests having such a header, but
not require it, should it?

I preferred sending the oauth parameters application/x-www-form-
urlencoded in the body of the POST. If the HTTP Authorization header
is nonoptional, where is that documented? If it's nonoptional, how can
I suppress the BasicAuth header MsXml2.XmlHttp sends in, which leads
to the login popup dialog (I assume)?

I assume that is the final problem I have, because I already tried
adding a Authenticate header as said above and that didn't worked.

Error messages coming back from twitter are not verbose.

Bye, Olaf.

Reply via email to