Hi Thom,

I like your approach. I think there are two things possibly wrong in your

The first: Your signing key needs to have the "&" character at the end, even
when there's no additional oauth_token_secret in the request.

Instead, of your signing key being
it should be "MCD8BKwGdgPHvAuvgvz4EQpqDAtx89grbuNMRd7Eh98&" (this part is
mentioned as part of the examples in this section on our auth document)

The second: One detail I may have omitted in the documentation that might be
key for you here is the following snippet from the OAuth specification:

oauth_signature is set to S, first base64-encoded per [RFC2045] (Freed, N.
and N. Borenstein, “Multipurpose Internet Mail Extensions (MIME) Part One:
Format of Internet Message Bodies,” .)
<http://oauth.net/core/1.0a/#RFC2045>section 6.8, then URL-encoded per
Encoding (Parameter Encoding)<http://oauth.net/core/1.0a/#encoding_parameters>

Hope this helps! The second point of information is often a non-relevant,
but it's good to keep in mind.

Taylor Singletary
Developer Advocate, Twitter

On Thu, Apr 29, 2010 at 8:56 AM, Thom Nichols <tmnich...@gmail.com> wrote:

> So I'm trying to implement an OAuth consumer* and running into some
> trouble.  As a sanity check I'm trying to replicate the example
> provided in the dev documentation (http://dev.twitter.com/pages/
> auth#request-token).  I'm stuck when generating the signature for the
> request.  That is, if I use the example parameters and example secret
> key, the signature in the example doesn't match the signature I'm
> generating.  So I took another step back to see if I can use the
> net.oauth Java implementation, and _that_ doesn't create a signature
> matching what's in the example either!  So either I'm doing something
> painfully wrong or the Twitter documentation is incorrect.
> If I take the 'base string' in the documentation and try to sign it
> with the 'signing key' from the example, it's only a couple lines of
> Groovy to use the net.oauth API:
> import net.oauth.signature.HMAC_SHA1
> // string from the example
> def str = 'POST&https%3A%2F%2Fapi.twitter.com%2Foauth
> %2Frequest_token&oauth_callback%3Dhttp%253A%252F%252Flocalhost
> %253A3005%252Fthe_dance%252Fprocess_callback%253Fservice_provider_id
> %253D11%26oauth_consumer_key%3DGDdmIQH6jhtmLUypg82g%26oauth_nonce
> %3DQP70eNmVz8jvdPevU3oJD2AfF7R7odC2XJcn4XlZJqk%26oauth_signature_method
> %3DHMAC_SHA1%26oauth_timestamp%3D1272323042%26oauth_version%3D1.0'
> // use the consumer secret from the example:
> def hmac = new
> HMAC_SHA1(consumerSecret:'MCD8BKwGdgPHvAuvgvz4EQpqDAtx89grbuNMRd7Eh98')
> println hmac.getSignature(str)
> // prints 'cz+LlAuzclTvE2YQiNogw3dC4yo=
> // Example gives: 8wUi7m5HFQy76nowoCThusfgB+Q=
> Any ideas?  Let me reiterate -- I know i can't use the example secret
> key & parameters in my own code...  I'm trying to use some 'known
> constant' to verify that at least I'm performing the hash operation
> correctly.  My _real_ code uses javax.crypto.Mac similar to what's
> being done by net.oauth...HMAC_SHA1.  You can see the code here:
> http://oauth.googlecode.com/svn/code/java/core/commons/src/main/java/net/oauth/signature/HMAC_SHA1.java
> So my theory is, either the Twitter documentation is wrong and I
> shouldn't trust it as a basis for implementing my own oauth consumer
> code, or there's some problem with how javax.crypto.Mac is being
> used...  Or I'm doing something else totally idiotic.  Any ideas?
> Thanks.
> * partially as just an academic exercise, I know there are other OAuth
> implementations for Java.  So please don't ask "why don't you just use
> Twitter4j or OAuth library ____?"  :)

Reply via email to