Hi David,

I found your excellent post hoping that it would solve the same
challenge for my app: updating profile image via Oauth... using
similar .net base to yourself...
BUT I just get the 401 all the time... despite taking your advice to
just sign with the HTTPmethod & URL.... My post data is laid out much
like yours... though I never got that 500 error...

I've tried all sorts... dropping the & off the end.... different

What encoding did you use to encode your image, and then to post the

Does it still work for you... or did this get broken when Twitter
'fixed' their Oauth implementation?

Can anyone else advise if they have got this working and where I might
be going wrong?


Simon (Zaudio)

On Aug 19, 11:40 pm, David Carson <carson63...@gmail.com> wrote:
> Got this sorted out and working, and thought I should share the two
> pitfalls which were causing me problems.
> First of all, unbelievably, the 500 Internal Server Error was being
> caused by an extra carriage return between my last HTTP header and the
> first multipart boundary. Seriously. I had two blank lines in there
> instead of one. Removed the extra carriage return, and my 500
> vanished, being replaced by a more reasonable "(401) Unauthorized -
> Incorrect signature" error.
> Secondly, the OAuth documentation seems a bit shaky when it comes to
> multipart/form-data POSTs. But basically, you do NOT use any of the
> POST parameters when creating your signature. And this includes all of
> the OAuth-specific parameters like oauth_consumer_key,
> oauth_signature_method, etc. Bit of a security hole imho, OAuth
> implements all this complexity to avoid man-in-the-middle or replay
> attacks, and as soon as you do a multipart POST it's all negated.
> So, my signature base was literally:
> POST&http%3A%2F%2Ftwitter.com%2Faccount%2Fupdate_profile_image.xml&
> Just the HTTP method and the URL. No parameters.
> Once I made that change to the signature generation, my request went
> through fine and my avatar changed.
> Hope this helps someone!
> Cheers,
> David...

Reply via email to