Hi Gero,

This particular issue looked to have been caused by a quirk in the way that
the Scribe library was encoding spaces. The library has since been updated
by the author.

However, if you're still having the issue in another implementation, I'll be
happy to help. Can you share the POST body of the request and your signature
base string of when you're having the issue?

Taylor Singletary
Developer Advocate, Twitter
http://twitter.com/episod


On Mon, May 17, 2010 at 12:12 AM, Gero <gero.verm...@gmail.com> wrote:

> Hi,
>
> Any updates on this issue? I'm running into the same problem and have
> not yet been able to resolve it.
>
> Regards,
> Gero
>
> On May 1, 12:42 am, Taylor Singletary <taylorsinglet...@twitter.com>
> wrote:
> > Hi Pablo,
> >
> > Thanks for chiming in about Scribe. I'll take a look again soon at Scribe
> > and see if I can ascertain its potential fault (or our own if that is the
> > case).
> >
> > Keep up the good work on your OAuth library, Pablo! :)
> >
> > Taylor Singletary
> > Developer Advocate, Twitterhttp://twitter.com/episod
> >
> > On Fri, Apr 30, 2010 at 3:31 PM, Pablo Fernandez <
> fernandezpabl...@gmail.com
> >
> >
> >
> > > wrote:
> > > Hi Taylor!
> >
> > > I believe Rahul is having this problem while using my library (http://
> > > github.com/fernandezpablo85/scribe)
> >
> > > I've tested myself, I'm pretty sure the error lies in my code but I
> > > can't tell why :S
> >
> > > Here's the string that gets signed and the OAuth header in case that
> > > helps!
> >
> > > String to sign >>
> >
> > > POST&http%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses
> > > %2Fupdate.xml&oauth_consumer_key%3D6icbcAXyZx67r8uTAUM5Qw%26oauth_nonce
> > > %3D32c0b090041a4b233a36590a10c8749e%26oauth_signature_method%3DHMAC-
> > > SHA1%26oauth_timestamp%3D1272666648%26oauth_token%3D14654522-
> > > ayJ064ck0Gtp1ABmjVVxMqd0OcgIG0fMRPFxN00E%26oauth_version%3D1.0%26status
> > > %3DScribe%2520works.%2520Hell%2520yeah%2521
> >
> > > OAuth header >>
> >
> > > OAuth oauth_consumer_key="6icbcAXyZx67r8uTAUM5Qw",
> > > oauth_nonce="32c0b090041a4b233a36590a10c8749e",
> > > oauth_signature="hmzME2L2qAmzRYOj5P%2BBcja9ECg%3D",
> > > oauth_signature_method="HMAC-SHA1", oauth_timestamp="1272666648",
> > > oauth_token="14654522-ayJ064ck0Gtp1ABmjVVxMqd0OcgIG0fMRPFxN00E",
> > > oauth_version="1.0"
> >
> > > Pablo
> >
> > > PS: Kudos for developer.twitter.com. the site rocks!
> >
> > > On Apr 30, 3:34 pm, Rahul <rahul.jun...@gmail.com> wrote:
> > > > Taylor,
> >
> > > > Here you go. I have tried adding the content type as follows.
> >
> > > > conn.setRequestProperty("Content-Type", "application/x-www-form-
> > > > urlencoded");
> >
> > > > But this doesn't help at all and i still continue receiving the same
> > > > error of incorrect signature.
> >
> > > > Any guess?
> >
> > > > Thanks,Rahul
> >
> > > > On Apr 29, 9:03 pm,Rahul<rahul.jun...@gmail.com> wrote:
> >
> > > > > Taylor,
> >
> > > > > I am presently using scribe java library for OAuth and as you said
> all
> > > > > spec compliant libraries the signature base string will only
> contain
> > > > > POST body parameter so does this one.
> >
> > > > > Also I will try to add the header 'Content-Type' to the library and
> > > > > let you know how it goes.
> >
> > > > > Thanks,
> > > > >Rahul
> >
> > > > > On Apr 29, 5:38 pm, Taylor Singletary <
> taylorsinglet...@twitter.com>
> > > > > wrote:
> >
> > > > > > Whether it matters before creating your signature or not depends
> > > entirely on
> > > > > > the OAuth library you are using. In spec-compliant OAuth
> libraries,
> > > the
> > > > > > signature base string will only contain POST body parameters when
> > > they are
> > > > > > of the application/x-www-form-urlencoded type -- most OAuth
> libraries
> > > need a
> > > > > > way to be instructed on the disposition of the content being
> passed
> > > as the
> > > > > > POST body and a common way is to look at an abstract request
> object
> > > of some
> > > > > > kind to determine the type of data being piped in rather than
> just
> > > trying to
> > > > > > guess or simply assuming that POST bodies will always be of the
> > > URL-encoded
> > > > > > type. There might be another way to instruct your library on the
> > > disposition
> > > > > > of data, but it's likely it'll just assume all POST data provided
> is
> > > of the
> > > > > > URL encoded variety. I don't think you have any issues with your
> code
> > > in
> > > > > > this area today.
> >
> > > > > > But as a best practice when dealing with an HTTP-based API of any
> > > kind, you
> > > > > > should be sending a Content-Type header whenever POSTing or
> PUTing
> > > any kind
> > > > > > of payload. You don't pass a Content-Type header on a GET because
> > > there is
> > > > > > no content being sent.
> >
> > > > > > It's likely that your OAuth library automatically sends the
> proper
> > > > > > Content-Type header on the OAuth negotiation steps because those
> > > steps are
> > > > > > required to use URL-encoded POST bodies by the spec.
> >
> > > > > > Taylor Singletary
> > > > > > Developer Advocate, Twitterhttp://twitter.com/episodOnThu, Apr
> 29,
> > > 2010 at 2:20 PM,Rahul<rahul.jun...@gmail.com> wrote:
> > > > > > > So what are trying to say is that i should explicitly add
> > > Content-type
> > > > > > > header in the message going out and that too before creating
> the
> > > > > > > signature?
> >
> > > > > > > Thanks,
> > > > > > >Rahul
> >
> > > > > > > On Apr 29, 4:58 pm, Taylor Singletary <
> > > taylorsinglet...@twitter.com>
> > > > > > > wrote:
> > > > > > > > Since you're sending a status, you should be setting a
> > > Content-Type
> > > > > > > header
> > > > > > > > to indicate the type of payload -- it's best never to assume
> that
> > > a HTTP
> > > > > > > > server or a HTTP library will know how to understand a
> payload
> > > without
> > > > > > > being
> > > > > > > > explicitly told what kind of payload that is. The signature
> might
> > > be
> > > > > > > > mis-calculating on the Twitter side due to not including your
> > > parameters
> > > > > > > > when constructing it.
> >
> > > > > > > > Taylor Singletary
> > > > > > > > Developer Advocate, Twitterhttp://twitter.com/episod
> >
> > > > > > > > On Thu, Apr 29, 2010 at 1:36 PM,Rahul<rahul.jun...@gmail.com
> >
> > > wrote:
> > > > > > > > > Hello,
> >
> > > > > > > > > To answer your questions. The following is the body
> response i
> > > receive
> > > > > > > > > back
> >
> > > > > > > > > <?xml version="1.0" encoding="UTF-8"?>
> > > > > > > > > <hash>
> > > > > > > > >  <request>/1/statuses/update.xml</request>
> > > > > > > > >  <error>Incorrect signature</error>
> > > > > > > > > </hash>
> >
> > > > > > > > > Also, I am not setting any content type header at this
> point &
> > > I am
> > > > > > > > > using "POST" only for token negotiation. and have not tried
> any
> > > get
> > > > > > > > > restricted resource yet. I did try some but they seem to be
> > > public
> > > > > > > > > timeline etc which seems to be working good.
> >
> > > > > > > > > Any help on this is highly appreciated.
> >
> > > > > > > > > Thanks,
> > > > > > > > >Rahul
> >
> > > > > > > > > On Apr 29, 4:22 pm, Taylor Singletary <
> > > taylorsinglet...@twitter.com>
> > > > > > > > > wrote:
> > > > > > > > > > HiRahul,
> >
> > > > > > > > > > I'm trying to think of other reasons. We might be
> throwing
> > > the
> > > > > > > invalid
> > > > > > > > > > signature error in a case where the signature is not in
> fact
> > > invalid.
> >
> > > > > > > > > > How about requests are not of the type POST? Have you had
> a
> > > GET
> > > > > > > (other
> > > > > > > > > than
> > > > > > > > > > OAuth token negotiation steps) work for you? When you
> were
> > > doing the
> > > > > > > > > token
> > > > > > > > > > negotiation steps, were you using POSTs or GETs? When
> > > performing a
> > > > > > > POST,
> > > > > > > > > are
> > > > > > > > > > you setting your HTTP Content-Type header to
> > > > > > > > > > "application/x-www-form-urlencoded"?
> >
> > > > > > > > > > What's the exact response from the server? There's
> usually a
> > > payload
> > > > > > > > > > included with the response that may give more clarity to
> the
> > > error.
> > > > > > > We
> > > > > > > > > have
> > > > > > > > > > some upcoming enhancements to the OAuth implementation
> that
> > > will
> > > > > > > return
> > > > > > > > > to
> > > > > > > > > > you the "signature base string we calculated" which would
> be
> > > useful
> > > > > > > here
> > > > > > > > > > now..
> >
> > > > > > > > > > Taylor Singletary
> > > > > > > > > > Developer Advocate, Twitterhttp://twitter.com/episod
> >
> > > > > > > > > > On Thu, Apr 29, 2010 at 1:12 PM,Rahul<
> rahul.jun...@gmail.com
> >
> > > > > > > wrote:
> > > > > > > > > > > Taylor,
> >
> > > > > > > > > > > A quick update on this. I tried generating the
> signature
> > > from my
> > > > > > > > > > > library and the page mentioned below they both seems
> tbe
> > > exactly
> > > > > > > the
> > > > > > > > > > > same.....
> >
> > >http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iv-signin.
> > > > > > > > > ..
> >
> > > > > > > > > > > What else can be the reason and how come twitter is
> > > responding with
> > > > > > > > > > > Incorrect Signature ?
> >
> > > > > > > > > > > Thanks,
> > > > > > > > > > >Rahul
> >
> > > > > > > > > > > On Apr 29, 1:19 pm,Rahul<rahul.jun...@gmail.com>
> wrote:
> > > > > > > > > > > > Taylor,
> >
> > > > > > > > > > > > Thanks for taking a look at it. and to answer your
> > > question yes I
> > > > > > > do
> > > > > > > > > > > > pass the status in the signature basetring.
> >
> > > > > > > > > > > > Also below is my string which i pass to the below
> > > mentioned
> > > > > > > toSign
> > > > > > > > > > > > variable.
> >
> > > > > > > > > > > > toSign:
> > > > > > > > > > > > POST&https%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses
> >
> > > %2Fupdate.xml&oauth_consumer_key%xxxxxxxxxxxxxxx%26oauth_nonce
> >
> > > %3Df2756a360f610d375722ee97e4c2391f%26oauth_signature_method%3DHMAC-
> >
> > > SHA1%26oauth_timestamp%3D1272560943%26oauth_token%3D36554645-
> > > > > > > > > > > > xxxxxxxxxxxxxxxxxxx%26oauth_version%3D1.0%26status
> > > > > > > > > > > > %3Dhurrrrrrrrrrrrrray
> >
> > > > > > > > > > > >     Mac mac = Mac.getInstance(HMAC_SHA1);
> > > > > > > > > > > >     mac.init(key);
> > > > > > > > > > > >     byte[] bytes =
> mac.doFinal(toSign.getBytes(UTF8));
> >
> > > > > > > > > > > > and in the key i pass: consumerSecret + '&' +
> tokenSecret
> >
> > > > > > > > > > > > Thanks,
> > > > > > > > > > > >Rahul
> >
> > > > > > > > > > > > On Apr 29, 12:46 pm, Taylor Singletary <
> > > > > > > taylorsinglet...@twitter.com
> >
> > > > > > > > > > > > wrote:
> >
> > > > > > > > > > > > > HiRahul,
> >
> > > > > > > > > > > > > When you are POSTing to statuses/update.xml -- are
> you
> > > > > > > including
> > > > > > > > > the
> > > > > > > > > > > status
> > > > > > > > > > > > > that you are posting in your signature base string?
> As
> > > a
> > > > > > > > > URL-encoded
> > > > > > > > > > > > > parameter, it should be included in both your POST
> body
> > > and the
> > > > > > > > > > > signature
> > > > > > > > > > > > > base string (but not in the HTTP authorization
> header).
> >
> > > > > > > > > > > > > Taylor Singletary
> > > > > > > > > > > > > Developer Advocate,
> >
> > ...
> >
> > read more ยป
>

Reply via email to