Hi Taylor, Thanks for your quick response.
So I did notice the ampersand at the end of the consumer secret (normally it's between the consumer secret and the token secret, right?) The HMAC_SHA1 class that I'm attempting to use in my above example does that (line 69 of HMAC_SHA1.java), and in my code I did the same. As for url-encoding the signature, well, you can see that's not the difference between what I'm generating and what the doc shows. For what it's worth, my code and net.oauth.signature.HMAC_SHA1 generate the same signature, but it's different from what's in the Twitter documentation :| I've put up an example of my code on PasteBin so you can run it entirely independent of any other libraries. If anyone can get it to generate the same signature that the documentation says it should be, I'll be thrilled :) http://thomnichols.pastebin.com/w6i47wNA Thanks. -Tom On Apr 29, 12:13 pm, Taylor Singletary <taylorsinglet...@twitter.com> wrote: > Hi Thom, > > I like your approach. I think there are two things possibly wrong in your > implementation. > > The first: Your signing key needs to have the "&" character at the end, even > when there's no additional oauth_token_secret in the request. > > Instead, of your signing key being > "MCD8BKwGdgPHvAuvgvz4EQpqDAtx89grbuNMRd7Eh98" > it should be "MCD8BKwGdgPHvAuvgvz4EQpqDAtx89grbuNMRd7Eh98&" (this part is > mentioned as part of the examples in this section on our auth document) > > The second: One detail I may have omitted in the documentation that might be > key for you here is the following snippet from the OAuth specification: > > oauth_signature is set to S, first base64-encoded per [RFC2045] (Freed, N. > and N. Borenstein, “Multipurpose Internet Mail Extensions (MIME) Part One: > Format of Internet Message Bodies,” .) > <http://oauth.net/core/1.0a/#RFC2045>section 6.8, then URL-encoded per > Parameter > Encoding (Parameter Encoding)<http://oauth.net/core/1.0a/#encoding_parameters> > . > > Hope this helps! The second point of information is often a non-relevant, > but it's good to keep in mind. > > Taylor Singletary > Developer Advocate, Twitterhttp://twitter.com/episod > > On Thu, Apr 29, 2010 at 8:56 AM, Thom Nichols <tmnich...@gmail.com> wrote: > > So I'm trying to implement an OAuth consumer* and running into some > > trouble. As a sanity check I'm trying to replicate the example > > provided in the dev documentation (http://dev.twitter.com/pages/ > > auth#request-token). I'm stuck when generating the signature for the > > request. That is, if I use the example parameters and example secret > > key, the signature in the example doesn't match the signature I'm > > generating. So I took another step back to see if I can use the > > net.oauth Java implementation, and _that_ doesn't create a signature > > matching what's in the example either! So either I'm doing something > > painfully wrong or the Twitter documentation is incorrect. > > > If I take the 'base string' in the documentation and try to sign it > > with the 'signing key' from the example, it's only a couple lines of > > Groovy to use the net.oauth API: > > > import net.oauth.signature.HMAC_SHA1 > > > // string from the example > > def str = 'POST&https%3A%2F%2Fapi.twitter.com%2Foauth > > %2Frequest_token&oauth_callback%3Dhttp%253A%252F%252Flocalhost > > %253A3005%252Fthe_dance%252Fprocess_callback%253Fservice_provider_id > > %253D11%26oauth_consumer_key%3DGDdmIQH6jhtmLUypg82g%26oauth_nonce > > %3DQP70eNmVz8jvdPevU3oJD2AfF7R7odC2XJcn4XlZJqk%26oauth_signature_method > > %3DHMAC_SHA1%26oauth_timestamp%3D1272323042%26oauth_version%3D1.0' > > > // use the consumer secret from the example: > > def hmac = new > > HMAC_SHA1(consumerSecret:'MCD8BKwGdgPHvAuvgvz4EQpqDAtx89grbuNMRd7Eh98') > > > println hmac.getSignature(str) > > // prints 'cz+LlAuzclTvE2YQiNogw3dC4yo= > > // Example gives: 8wUi7m5HFQy76nowoCThusfgB+Q= > > > Any ideas? Let me reiterate -- I know i can't use the example secret > > key & parameters in my own code... I'm trying to use some 'known > > constant' to verify that at least I'm performing the hash operation > > correctly. My _real_ code uses javax.crypto.Mac similar to what's > > being done by net.oauth...HMAC_SHA1. You can see the code here: > > >http://oauth.googlecode.com/svn/code/java/core/commons/src/main/java/... > > > So my theory is, either the Twitter documentation is wrong and I > > shouldn't trust it as a basis for implementing my own oauth consumer > > code, or there's some problem with how javax.crypto.Mac is being > > used... Or I'm doing something else totally idiotic. Any ideas? > > > Thanks. > > > * partially as just an academic exercise, I know there are other OAuth > > implementations for Java. So please don't ask "why don't you just use > > Twitter4j or OAuth library ____?" :)