Indeed it was solved in version 0.6.6. Sorry for that Gero!
On Mon, May 17, 2010 at 9:46 AM, Taylor Singletary < [email protected]> wrote: > Hi Gero, > > This particular issue looked to have been caused by a quirk in the way that > the Scribe library was encoding spaces. The library has since been updated > by the author. > > However, if you're still having the issue in another implementation, I'll > be happy to help. Can you share the POST body of the request and your > signature base string of when you're having the issue? > > Taylor Singletary > Developer Advocate, Twitter > http://twitter.com/episod > > > On Mon, May 17, 2010 at 12:12 AM, Gero <[email protected]> wrote: > >> Hi, >> >> Any updates on this issue? I'm running into the same problem and have >> not yet been able to resolve it. >> >> Regards, >> Gero >> >> On May 1, 12:42 am, Taylor Singletary <[email protected]> >> wrote: >> > Hi Pablo, >> > >> > Thanks for chiming in about Scribe. I'll take a look again soon at >> Scribe >> > and see if I can ascertain its potential fault (or our own if that is >> the >> > case). >> > >> > Keep up the good work on your OAuth library, Pablo! :) >> > >> > Taylor Singletary >> > Developer Advocate, Twitterhttp://twitter.com/episod >> > >> > On Fri, Apr 30, 2010 at 3:31 PM, Pablo Fernandez < >> [email protected] >> > >> > >> > >> > > wrote: >> > > Hi Taylor! >> > >> > > I believe Rahul is having this problem while using my library (http:// >> > > github.com/fernandezpablo85/scribe) >> > >> > > I've tested myself, I'm pretty sure the error lies in my code but I >> > > can't tell why :S >> > >> > > Here's the string that gets signed and the OAuth header in case that >> > > helps! >> > >> > > String to sign >> >> > >> > > POST&http%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses >> > > >> %2Fupdate.xml&oauth_consumer_key%3D6icbcAXyZx67r8uTAUM5Qw%26oauth_nonce >> > > %3D32c0b090041a4b233a36590a10c8749e%26oauth_signature_method%3DHMAC- >> > > SHA1%26oauth_timestamp%3D1272666648%26oauth_token%3D14654522- >> > > >> ayJ064ck0Gtp1ABmjVVxMqd0OcgIG0fMRPFxN00E%26oauth_version%3D1.0%26status >> > > %3DScribe%2520works.%2520Hell%2520yeah%2521 >> > >> > > OAuth header >> >> > >> > > OAuth oauth_consumer_key="6icbcAXyZx67r8uTAUM5Qw", >> > > oauth_nonce="32c0b090041a4b233a36590a10c8749e", >> > > oauth_signature="hmzME2L2qAmzRYOj5P%2BBcja9ECg%3D", >> > > oauth_signature_method="HMAC-SHA1", oauth_timestamp="1272666648", >> > > oauth_token="14654522-ayJ064ck0Gtp1ABmjVVxMqd0OcgIG0fMRPFxN00E", >> > > oauth_version="1.0" >> > >> > > Pablo >> > >> > > PS: Kudos for developer.twitter.com. the site rocks! >> > >> > > On Apr 30, 3:34 pm, Rahul <[email protected]> wrote: >> > > > Taylor, >> > >> > > > Here you go. I have tried adding the content type as follows. >> > >> > > > conn.setRequestProperty("Content-Type", "application/x-www-form- >> > > > urlencoded"); >> > >> > > > But this doesn't help at all and i still continue receiving the same >> > > > error of incorrect signature. >> > >> > > > Any guess? >> > >> > > > Thanks,Rahul >> > >> > > > On Apr 29, 9:03 pm,Rahul<[email protected]> wrote: >> > >> > > > > Taylor, >> > >> > > > > I am presently using scribe java library for OAuth and as you said >> all >> > > > > spec compliant libraries the signature base string will only >> contain >> > > > > POST body parameter so does this one. >> > >> > > > > Also I will try to add the header 'Content-Type' to the library >> and >> > > > > let you know how it goes. >> > >> > > > > Thanks, >> > > > >Rahul >> > >> > > > > On Apr 29, 5:38 pm, Taylor Singletary < >> [email protected]> >> > > > > wrote: >> > >> > > > > > Whether it matters before creating your signature or not depends >> > > entirely on >> > > > > > the OAuth library you are using. In spec-compliant OAuth >> libraries, >> > > the >> > > > > > signature base string will only contain POST body parameters >> when >> > > they are >> > > > > > of the application/x-www-form-urlencoded type -- most OAuth >> libraries >> > > need a >> > > > > > way to be instructed on the disposition of the content being >> passed >> > > as the >> > > > > > POST body and a common way is to look at an abstract request >> object >> > > of some >> > > > > > kind to determine the type of data being piped in rather than >> just >> > > trying to >> > > > > > guess or simply assuming that POST bodies will always be of the >> > > URL-encoded >> > > > > > type. There might be another way to instruct your library on the >> > > disposition >> > > > > > of data, but it's likely it'll just assume all POST data >> provided is >> > > of the >> > > > > > URL encoded variety. I don't think you have any issues with your >> code >> > > in >> > > > > > this area today. >> > >> > > > > > But as a best practice when dealing with an HTTP-based API of >> any >> > > kind, you >> > > > > > should be sending a Content-Type header whenever POSTing or >> PUTing >> > > any kind >> > > > > > of payload. You don't pass a Content-Type header on a GET >> because >> > > there is >> > > > > > no content being sent. >> > >> > > > > > It's likely that your OAuth library automatically sends the >> proper >> > > > > > Content-Type header on the OAuth negotiation steps because those >> > > steps are >> > > > > > required to use URL-encoded POST bodies by the spec. >> > >> > > > > > Taylor Singletary >> > > > > > Developer Advocate, Twitterhttp://twitter.com/episodOnThu, Apr >> 29, >> > > 2010 at 2:20 PM,Rahul<[email protected]> wrote: >> > > > > > > So what are trying to say is that i should explicitly add >> > > Content-type >> > > > > > > header in the message going out and that too before creating >> the >> > > > > > > signature? >> > >> > > > > > > Thanks, >> > > > > > >Rahul >> > >> > > > > > > On Apr 29, 4:58 pm, Taylor Singletary < >> > > [email protected]> >> > > > > > > wrote: >> > > > > > > > Since you're sending a status, you should be setting a >> > > Content-Type >> > > > > > > header >> > > > > > > > to indicate the type of payload -- it's best never to assume >> that >> > > a HTTP >> > > > > > > > server or a HTTP library will know how to understand a >> payload >> > > without >> > > > > > > being >> > > > > > > > explicitly told what kind of payload that is. The signature >> might >> > > be >> > > > > > > > mis-calculating on the Twitter side due to not including >> your >> > > parameters >> > > > > > > > when constructing it. >> > >> > > > > > > > Taylor Singletary >> > > > > > > > Developer Advocate, Twitterhttp://twitter.com/episod >> > >> > > > > > > > On Thu, Apr 29, 2010 at 1:36 PM,Rahul< >> [email protected]> >> > > wrote: >> > > > > > > > > Hello, >> > >> > > > > > > > > To answer your questions. The following is the body >> response i >> > > receive >> > > > > > > > > back >> > >> > > > > > > > > <?xml version="1.0" encoding="UTF-8"?> >> > > > > > > > > <hash> >> > > > > > > > > <request>/1/statuses/update.xml</request> >> > > > > > > > > <error>Incorrect signature</error> >> > > > > > > > > </hash> >> > >> > > > > > > > > Also, I am not setting any content type header at this >> point & >> > > I am >> > > > > > > > > using "POST" only for token negotiation. and have not >> tried any >> > > get >> > > > > > > > > restricted resource yet. I did try some but they seem to >> be >> > > public >> > > > > > > > > timeline etc which seems to be working good. >> > >> > > > > > > > > Any help on this is highly appreciated. >> > >> > > > > > > > > Thanks, >> > > > > > > > >Rahul >> > >> > > > > > > > > On Apr 29, 4:22 pm, Taylor Singletary < >> > > [email protected]> >> > > > > > > > > wrote: >> > > > > > > > > > HiRahul, >> > >> > > > > > > > > > I'm trying to think of other reasons. We might be >> throwing >> > > the >> > > > > > > invalid >> > > > > > > > > > signature error in a case where the signature is not in >> fact >> > > invalid. >> > >> > > > > > > > > > How about requests are not of the type POST? Have you >> had a >> > > GET >> > > > > > > (other >> > > > > > > > > than >> > > > > > > > > > OAuth token negotiation steps) work for you? When you >> were >> > > doing the >> > > > > > > > > token >> > > > > > > > > > negotiation steps, were you using POSTs or GETs? When >> > > performing a >> > > > > > > POST, >> > > > > > > > > are >> > > > > > > > > > you setting your HTTP Content-Type header to >> > > > > > > > > > "application/x-www-form-urlencoded"? >> > >> > > > > > > > > > What's the exact response from the server? There's >> usually a >> > > payload >> > > > > > > > > > included with the response that may give more clarity to >> the >> > > error. >> > > > > > > We >> > > > > > > > > have >> > > > > > > > > > some upcoming enhancements to the OAuth implementation >> that >> > > will >> > > > > > > return >> > > > > > > > > to >> > > > > > > > > > you the "signature base string we calculated" which >> would be >> > > useful >> > > > > > > here >> > > > > > > > > > now.. >> > >> > > > > > > > > > Taylor Singletary >> > > > > > > > > > Developer Advocate, Twitterhttp://twitter.com/episod >> > >> > > > > > > > > > On Thu, Apr 29, 2010 at 1:12 PM,Rahul< >> [email protected] >> > >> > > > > > > wrote: >> > > > > > > > > > > Taylor, >> > >> > > > > > > > > > > A quick update on this. I tried generating the >> signature >> > > from my >> > > > > > > > > > > library and the page mentioned below they both seems >> tbe >> > > exactly >> > > > > > > the >> > > > > > > > > > > same..... >> > >> > >http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iv-signin. >> > > > > > > > > .. >> > >> > > > > > > > > > > What else can be the reason and how come twitter is >> > > responding with >> > > > > > > > > > > Incorrect Signature ? >> > >> > > > > > > > > > > Thanks, >> > > > > > > > > > >Rahul >> > >> > > > > > > > > > > On Apr 29, 1:19 pm,Rahul<[email protected]> >> wrote: >> > > > > > > > > > > > Taylor, >> > >> > > > > > > > > > > > Thanks for taking a look at it. and to answer your >> > > question yes I >> > > > > > > do >> > > > > > > > > > > > pass the status in the signature basetring. >> > >> > > > > > > > > > > > Also below is my string which i pass to the below >> > > mentioned >> > > > > > > toSign >> > > > > > > > > > > > variable. >> > >> > > > > > > > > > > > toSign: >> > > > > > > > > > > > POST&https%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses >> > >> > > %2Fupdate.xml&oauth_consumer_key%xxxxxxxxxxxxxxx%26oauth_nonce >> > >> > > %3Df2756a360f610d375722ee97e4c2391f%26oauth_signature_method%3DHMAC- >> > >> > > SHA1%26oauth_timestamp%3D1272560943%26oauth_token%3D36554645- >> > > > > > > > > > > > xxxxxxxxxxxxxxxxxxx%26oauth_version%3D1.0%26status >> > > > > > > > > > > > %3Dhurrrrrrrrrrrrrray >> > >> > > > > > > > > > > > Mac mac = Mac.getInstance(HMAC_SHA1); >> > > > > > > > > > > > mac.init(key); >> > > > > > > > > > > > byte[] bytes = >> mac.doFinal(toSign.getBytes(UTF8)); >> > >> > > > > > > > > > > > and in the key i pass: consumerSecret + '&' + >> tokenSecret >> > >> > > > > > > > > > > > Thanks, >> > > > > > > > > > > >Rahul >> > >> > > > > > > > > > > > On Apr 29, 12:46 pm, Taylor Singletary < >> > > > > > > [email protected] >> > >> > > > > > > > > > > > wrote: >> > >> > > > > > > > > > > > > HiRahul, >> > >> > > > > > > > > > > > > When you are POSTing to statuses/update.xml -- are >> you >> > > > > > > including >> > > > > > > > > the >> > > > > > > > > > > status >> > > > > > > > > > > > > that you are posting in your signature base >> string? As >> > > a >> > > > > > > > > URL-encoded >> > > > > > > > > > > > > parameter, it should be included in both your POST >> body >> > > and the >> > > > > > > > > > > signature >> > > > > > > > > > > > > base string (but not in the HTTP authorization >> header). >> > >> > > > > > > > > > > > > Taylor Singletary >> > > > > > > > > > > > > Developer Advocate, >> > >> > ... >> > >> > read more ยป >> > >
