Just eyeballing this: your POST body is over-URL encoded. Your POST body
should be simply:
x_auth_username=XXXXX&x_auth_password=XXXXX&x_auth_mode=client_auth

But the values of each key should be URL escaped (so if there's an email
address, username, or password with non-URL safe characters, they would be
URL encoded -- and double URL encoded in your signature base string)

Otherwise, at first glance anyway, this looks pretty close to right.


Taylor Singletary
Developer Advocate, Twitter
http://twitter.com/episod


On Wed, May 12, 2010 at 10:58 AM, DWF <dwfr...@pivotallabs.com> wrote:

> We're trying this out now & think we're approved.  But we're still
> seeing 401s when requesting a user token.
>
> (username & password hidden with XXXXXX below)
>
> Here's our base string:
>
> POST&https%3A%2F%2Fapi.twitter.com%2Foauth
> %2Faccess_token&oauth_consumer_key%3DWFKpuxJsIdVbesPtUAN6w
> %26oauth_nonce%3DMTowOjk1NDE2ODEyNzM2ODY1OTM4Mjc%3D
> %26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp
> %3D1273686593%26oauth_version%3D1.0%26x_auth_mode%3Dclient_auth
> %26x_auth_password%3DXXXXX%26x_auth_username%3DXXXXX
>
> Here's our POST (using hurl.it as it looks like twurl doesn't support
> this API endpoint yet):
>
> -----
> POST /oauth/access_token HTTP/1.1
> Host: api.twitter.com
> Authorization: OAuth oauth_signature_method="HMAC-SHA1",
> oauth_nonce="MToxOjEyMzcxNzEyNzM2ODY1OTM4Mjc%3D",
> oauth_timestamp="1273686593",
> oauth_consumer_key="WFKpuxJsIdVbesPtUAN6w", oauth_version="1.0",
> oauth_signature="4f23193590c2b66c5ea23ce5deae9c767998a902"
> Accept: application/json
> Content-Length: 93
> Content-Type: application/x-www-form-urlencoded
>
> x%5Fauth%5Fusername=XXXXX&x%5Fauth%5Fpassword=XXXXX&x%5Fauth
> %5Fmode=client%5Fauth
>
> -----
>
> And we're getting this response (sad panda):
>
> -----
> HTTP/1.1 401 Unauthorized
> Date: Wed, 12 May 2010 17:52:11 GMT
> Server: hi
> Status: 401 Unauthorized
> X-Transaction: 1273686731-92894-17698
> Last-Modified: Wed, 12 May 2010 17:52:11 GMT
> X-Runtime: 0.03752
> Content-Type: text/html; charset=utf-8
> Content-Length: 44
> Pragma: no-cache
> X-Revision: DEV
> Expires: Tue, 31 Mar 1981 05:00:00 GMT
> Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-
> check=0
> Set-Cookie: k=74.207.226.80.1273686729321903; path=/; expires=Wed, 19-
> May-10 17:52:09 GMT; domain=.twitter.com
> Set-Cookie: guest_id=127368673134928431; path=/; expires=Fri, 11 Jun
> 2010 17:52:11 GMT
> Set-Cookie:
> _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCFUqpY0oAToRdHJhbnNfcHJvbXB0MDoHaWQi
> %250AJTc1OGJjN2ZjODIwYWNhYzY3NjJlZGQzYWFjNTFlYmEyIgpmbGFzaElDOidB
> %250AY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--
> ab999812f9cfb9a01a8095a2e3d0f84fd9c1e0d7; domain=.twitter.com; path=/
> Vary: Accept-Encoding
> Connection: close
>
> Failed to validate oauth signature and token
>
> ----
>
> This look familiar to anyone?
>
> Thanks,
> --dwf
>
>
>

Reply via email to