SOLVED!

The moral of the story is to keep your nonce values SIMPLE.

We were generating a random value:

  Base64.encode('1:' + counter++ + ':' + random + Date.now());

which most of the time resulted in a string that contained an equals
sign character, which then gets urlencoded to %3D.

It appears the % character was confusing the server and so we kept
getting 401s.

Our solution is to make a simpler, non-Base64-encoded nonce. NO
PERCENTS!!!  And all is now well.

-dwf



On May 12, 3:30 pm, DWF <dwfr...@pivotallabs.com> wrote:
> Taylor:  Here's what we're sending now.  The signature looks like the
> correct length.  But we're getting the same error.
>
> POST /oauth/access_token HTTP/1.1
> Host: api.twitter.com
> Authorization: OAuth oauth_signature_method="HMAC-SHA1",
> oauth_nonce="MToxOjQyOTY0NzEyNzM3MDMzMzQwMTU%3D",
> oauth_timestamp="1273703334",
> oauth_consumer_key="WFKpuxJsIdVbesPtUAN6w", oauth_version="1.0",
> oauth_signature="NU%2BLWGJ7lDm2DmPYKkT8P45YsZA%3D"
> Accept: application/json
> Content-Length: 93
> Content-Type: application/x-www-form-urlencoded
>
> x%5Fauth%5Fusername=XXXXX&x%5Fauth%5Fpassword=XXXXX&x%5Fauth
> %5Fmode=client%5Fauth
>
> HTTP/1.1 401 Unauthorized
> Date: Wed, 12 May 2010 22:29:11 GMT
> Server: hi
> Status: 401 Unauthorized
> X-Transaction: 1273703351-32476-1016
> Last-Modified: Wed, 12 May 2010 22:29:11 GMT
> X-Runtime: 0.01211
> Content-Type: text/html; charset=utf-8
> Content-Length: 44
> Pragma: no-cache
> X-Revision: DEV
> Expires: Tue, 31 Mar 1981 05:00:00 GMT
> Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-
> check=0
> Set-Cookie: k=74.207.226.80.1273703350241947; path=/; expires=Wed, 19-
> May-10 22:29:10 GMT; domain=.twitter.com
> Set-Cookie: guest_id=127370335144417010; path=/; expires=Fri, 11 Jun
> 2010 22:29:11 GMT
> Set-Cookie:
> _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCJXEoo4oAToRdHJhbnNfcHJvbXB0MDoHaWQi
> %250AJWUwNmRiODNlMDlmY2FhNzk3YTE1YWNlODFiMzllZDVjIgpmbGFzaElDOidB
> %250AY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--
> a76c125e0d8422759ab95667e37db1decdc56861; domain=.twitter.com; path=/
> Vary: Accept-Encoding
> Connection: close
>
> Failed to validate oauth signature and token
>
> On May 12, 2:56 pm,DWF<dwfr...@pivotallabs.com> wrote:
>
>
>
> > It turns out that we have a base64 encoding problem, which means our
> > signature actually is bad.
>
> > Working on it now.
>
> > --dwf
>
> > On May 12, 1:06 pm,DWF<dwfr...@pivotallabs.com> wrote:
>
> > > We just coded up a simple Ruby script to make the same request,
> > > building our post body by hand into a string to ensure the escaping
> > > (or not) of the params.
>
> > > So we know that going into Net::HTTP the underscores are underscores
> > > and NOT %5F's.
>
> > > Same response from the server.
>
> > > --dwf
>
> > > On May 12, 11:14 am, Taylor Singletary <taylorsinglet...@twitter.com>
> > > wrote:
>
> > > > Just eyeballing this: your POST body is over-URL encoded. Your POST body
> > > > should be simply:
> > > > x_auth_username=XXXXX&x_auth_password=XXXXX&x_auth_mode=client_auth
>
> > > > But the values of each key should be URL escaped (so if there's an email
> > > > address, username, or password with non-URL safe characters, they would 
> > > > be
> > > > URL encoded -- and double URL encoded in your signature base string)
>
> > > > Otherwise, at first glance anyway, this looks pretty close to right.
>
> > > > Taylor Singletary
> > > > Developer Advocate, Twitterhttp://twitter.com/episod
>
> > > > On Wed, May 12, 2010 at 10:58 AM,DWF<dwfr...@pivotallabs.com> wrote:
> > > > > We're trying this out now & think we're approved.  But we're still
> > > > > seeing 401s when requesting a user token.
>
> > > > > (username & password hidden with XXXXXX below)
>
> > > > > Here's our base string:
>
> > > > > POST&https%3A%2F%2Fapi.twitter.com%2Foauth
> > > > > %2Faccess_token&oauth_consumer_key%3DWFKpuxJsIdVbesPtUAN6w
> > > > > %26oauth_nonce%3DMTowOjk1NDE2ODEyNzM2ODY1OTM4Mjc%3D
> > > > > %26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp
> > > > > %3D1273686593%26oauth_version%3D1.0%26x_auth_mode%3Dclient_auth
> > > > > %26x_auth_password%3DXXXXX%26x_auth_username%3DXXXXX
>
> > > > > Here's our POST (using hurl.it as it looks like twurl doesn't support
> > > > > this API endpoint yet):
>
> > > > > -----
> > > > > POST /oauth/access_token HTTP/1.1
> > > > > Host: api.twitter.com
> > > > > Authorization: OAuth oauth_signature_method="HMAC-SHA1",
> > > > > oauth_nonce="MToxOjEyMzcxNzEyNzM2ODY1OTM4Mjc%3D",
> > > > > oauth_timestamp="1273686593",
> > > > > oauth_consumer_key="WFKpuxJsIdVbesPtUAN6w", oauth_version="1.0",
> > > > > oauth_signature="4f23193590c2b66c5ea23ce5deae9c767998a902"
> > > > > Accept: application/json
> > > > > Content-Length: 93
> > > > > Content-Type: application/x-www-form-urlencoded
>
> > > > > x%5Fauth%5Fusername=XXXXX&x%5Fauth%5Fpassword=XXXXX&x%5Fauth
> > > > > %5Fmode=client%5Fauth
>
> > > > > -----
>
> > > > > And we're getting this response (sad panda):
>
> > > > > -----
> > > > > HTTP/1.1 401 Unauthorized
> > > > > Date: Wed, 12 May 2010 17:52:11 GMT
> > > > > Server: hi
> > > > > Status: 401 Unauthorized
> > > > > X-Transaction: 1273686731-92894-17698
> > > > > Last-Modified: Wed, 12 May 2010 17:52:11 GMT
> > > > > X-Runtime: 0.03752
> > > > > Content-Type: text/html; charset=utf-8
> > > > > Content-Length: 44
> > > > > Pragma: no-cache
> > > > > X-Revision: DEV
> > > > > Expires: Tue, 31 Mar 1981 05:00:00 GMT
> > > > > Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-
> > > > > check=0
> > > > > Set-Cookie: k=74.207.226.80.1273686729321903; path=/; expires=Wed, 19-
> > > > > May-10 17:52:09 GMT; domain=.twitter.com
> > > > > Set-Cookie: guest_id=127368673134928431; path=/; expires=Fri, 11 Jun
> > > > > 2010 17:52:11 GMT
> > > > > Set-Cookie:
> > > > > _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCFUqpY0oAToRdHJhbnNfcHJvbXB0MDoHaWQi
> > > > > %250AJTc1OGJjN2ZjODIwYWNhYzY3NjJlZGQzYWFjNTFlYmEyIgpmbGFzaElDOidB
> > > > > %250AY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--
> > > > > ab999812f9cfb9a01a8095a2e3d0f84fd9c1e0d7; domain=.twitter.com; path=/
> > > > > Vary: Accept-Encoding
> > > > > Connection: close
>
> > > > > Failed to validate oauth signature and token
>
> > > > > ----
>
> > > > > This look familiar to anyone?
>
> > > > > Thanks,
> > > > > --dwf

Reply via email to