I'm developing yet another API binding based on the MsXml2.XmlHttp class (aka XMLHttpRequest in AJAX for IE), it's an API for desktop clients
I use the workflow described in http://apiwiki.twitter.com/Sign-in-with-Twitter to authenticate via OAuth with PIN. All works fine up to retrieving the final Access-Token: a) http://twitter.com/oauth/request_token => returns oauth_token and oauth_token_secret, oauth_callback_confirmed=true (OK) b) http://twitter.com/oauth/authorize?oauth_callback=oob&oauth_token=... => login dialog, finally getting a PIN (OK) c) http://twitter.com/oauth/access_token (with pin) => returns oauth_token, oauth_token_secret, userid and screenname (OK) Afterward for all further requests I send with the access token I get a response of 401 Unauthorized. Server: hi WWW-Authenticate: Basic realm="Twitter API" Status: 401 Unauthorized ... And in the body the error message "Incorrect signature" Also MsXml2.XmlHttp is popping up a login dialog for Basic Auth. The signature is fine and computed using the exact same way and code I used in all the previous three working requests. I triple checked my signing code, which uses a DLL for HMAC-SHA1 signing. I sign all parameters sorted alphabetical and encoded correcty (I could post an example, if you don't trust me on this), so what am I really missing? I used Wireshark and sniffed HTTP packets of another client using OAuth. From that I found it's sending the PIN (oauth_verifier) not only in the request of the access_token, but also in all further requests. That didn't help from the WWW-Authenticate response header I assume the Authenticate header is non optional in requests. I already tried adding one via the SetRequestHeader method of the MsXml2.XmlHttp class. That didn't worked out. Besides being dissatisfied with the misleading error, is it true, that twitter requires the Authenticate Header? I wonder why. Section 5.4. of the OAuth Code 1.0 - "OAuth HTTP Authorization Scheme" says: "It is RECOMMENDED that Service Providers accept the HTTP Authorization header. Consumers SHOULD be able to send OAuth Protocol Parameters in the OAuth Authorization header." But that does not mean an OAuth service provider MUST require this header -- it only SHOULD support requests having such a header, but not require it, should it? I preferred sending the oauth parameters application/x-www-form- urlencoded in the body of the POST. If the HTTP Authorization header is nonoptional, where is that documented? If it's nonoptional, how can I suppress the BasicAuth header MsXml2.XmlHttp sends in, which leads to the login popup dialog (I assume)? I assume that is the final problem I have, because I already tried adding a Authenticate header as said above and that didn't worked. Error messages coming back from twitter are not verbose. Bye, Olaf.