> What environment are you trying to execute this code in? Javascript in most
> use cases is not an appropriate vehicle for performing OAuth operations --
> unless you "are" the web browser or another kind of application development
> environment in which Javascript is a bit more secure.

I'm using JavaScript in Adobe AIR for desktop application and save the
sensitive data in Encrypted Local store

> That said, I helped a developer through a Javascript OAuth implementation
> last week and after much bashing of the head against the desk, it was found
> that the HMAC_SHA1 algorithm being used was not doing the right thing and
> using the wrong kind of padding.
> Are you able to reproduce the signatures (given exactly the same inputs) as
> detailed onhttp://dev.twitter.com/pages/auth?

Yes, i use the input in the mentioned article and get the same output
using the HMAC_SH1 in my code.



> Have you traced the request to ensure that your authorization header is
> actually being sent properly? How are you avoiding cross-domain issues?

AIR allow cross domain requests, but i didn't trace the request (i'll
trace after replying)


> Taylor Singletary
> Developer Advocate, Twitterhttp://twitter.com/episod
>
> On Thu, May 6, 2010 at 5:13 PM, mostafa farghaly <keepon...@gmail.com>wrote:
>
> > every time i get "failed to validate outh token and signature" :(
> > here's my simple code
>
> >                        var username = "username",
> >                                password = "password",
> >                                url= "
> >https://api.twitter.com/oauth/access_token";,
> >                                key = "key",
> >                                timestamp = +new Date,
> >                                nonce = "thisismynoncce" + timestamp;
>
> >                var access_token = "oauth_consumer_key=" + key +
> >                        "&oauth_nonce=" + nonce +
> >                        "&oauth_signature_method=HMAC_SHA1" +
> >                        "&oauth_timestamp=" + timestamp +
> >                        "&oauth_version=1.0" +
> >                        "&x_auth_mode=client_auth" +
> >                        "&x_auth_password=" + password +
> >                        "&x_auth_username=" + username;
>
> >                        var base_string = "POST&" + encodeURIComponent(url)
> > + "&" +
> > encodeURIComponent(access_token);
>
> >                        var oauth_signature = b64_hmac_sha1("token_secret&",
> > base_string);
>
> >                        var auth_header = 'OAuth oauth_nonce="' + nonce +
> > '"' +
> >                        ', oauth_signature_method="HMAC-SHA1"' +
> >                        ', oauth_timestamp="' + timestamp + '"' +
> >                        ', oauth_consumer_key="' + key + '"' +
> >                        ', oauth_signature="' + oauth_signature + '"' +
> >                        ', oauth_version="1.0"';
>
> >                      $.ajax({
> >                                url:url,
> >                                method: "POST",
> >                                data: {
> >                                        x_auth_username: username,
> >                                        x_auth_password: password,
> >                                        x_auth_mode: "client_auth"
> >                                },
> >                                beforeSend: function(xhr){
>
> >  xhr.setRequestHeader("Authorization", auth_header);
> >                                },
> >                                success: function(data){
> >                                        alert(data);
> >                                },
> >                                error: function(xhr){
> >                                        alert(xhr.responseText);
> >                                }
> >                        })

Reply via email to