I'm working on an iPhone app using xAuth (which is great!). I'm
exchanging user credentials for an access token, storing it and using
the token to make subsequent calls to the API's just fine. I'm having
trouble however with the account update_profile_image API (http://
api.twitter.com/1/account/update_profile_image.xml). When calling that
API I'm receiving a 401 [unauthroized] response with a return of:
  <error>Invalid / used nonce</error>

Full headers:
(401) [unauthorized]:
    "Cache-Control" = "no-cache, max-age=1800";
    Connection = close;
    "Content-Encoding" = gzip;
    "Content-Length" = 142;
    "Content-Type" = "application/xml; charset=utf-8";
    Date = "Thu, 08 Apr 2010 15:45:12 GMT";
    Expires = "Thu, 08 Apr 2010 16:15:09 GMT";
    Server = hi;
    "Set-Cookie" = "guest_id=1270741512433; path=/; expires=Sat, 08
May 2010 15:45:12 GMT,
%253D--1164b91ac812d853b877e93ddb612b7471bebc74; domain=.twitter.com;
    Status = "401 Unauthorized";
    Vary = "Accept-Encoding";
    "Www-Authenticate" = "Basic realm=\"Twitter API\"";

When I send a request to the statuses/update API (http://
api.twitter.com/1/statuses/update.xml) using the same access token it
works fine. I've also tested the same update_profile_image call in my
code with basic auth to rule out any malformed multpart form-data etc.
and that works OK.

I've noticed that when sending to the update_profile_image API I'm
receiving an authentication challenge. I don't receive the challenge
with other API calls. It's my understanding that when sending an OAuth
authentication header, a challenge should not be sent.

I'm using Ben Gottlieb's twitter OAuth library for the OAuth portion.
This library (and the other iPhone OAuth libraries) essentially ignore
any challenges by responding with
"continueWithoutCredentialForAuthenticationChallenge" in the challenge
delegate method. Ben's library is integrated with the MGTwitter engie
which unfortunately does not include many of the account API calls
(including update_profile_image) which is why I'm writing my own.

Should the authentication challenge be expected? If so, any
recommendation on how to respond to the challenge?

To unsubscribe, reply using "remove me" as the subject.

Reply via email to