I'm new to OAuth and the Twitter API and I'm trying to learn the nitty
gritty of the OAuth flow and therefore I am writing my own classes (in
PHP.) I'm on step one and I haven't been able to get a request_token
properly and I'm failing with the common error "Failed to validate
oauth signature and token."
I'm hoping someone can point out the obvious of what I may be doing
wrong. Thanks in advance for any feedback / ideas. My application
works fine with the PHP library I downloaded and tried out, and I've
even replaced much of the code I wrote with snippets from the library
to see if I was simply doing something incorrectly.
My system time is up to date. I've tried generating timestamps based
on the UTC timezone and my local timezone.
Here's an example of my base signature string:
POST&http%3A%2F%2Fapi.twitter.com%2Foauth
%2Frequest_token&oauth_callback%3Dhttp%3A%2F%2Fmy.domain.net%2F~patrick
%2Foauth%2Ftwitter%2Fsuccess.php%26oauth_consumer_key
%3DMYCONSOMUERKEYHERE%26oauth_nonce
%3D1275027099%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp
%3D1275027099%26oauth_version%3D1.0
I've tried using the md5 of unuiqe id for the nonce, and also the md5
of a timestamp (the example above is simply using a nonce that equals
the timestamp...all have still failed.
I'm signing it with:
private function get_signature(){
return base64_encode(hash_hmac('sha1', $this-
>build_signature_base_string(), $this->consumer_secret . '&', true));
}
My authorization header looks like this:
Authorization: OAuth oauth_consumer_key="MYCONSUMERKEYHERE",
oauth_nonce="1275025890", oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1275025890", oauth_version="1.0",
oauth_signature="W1KcHPpYMdu3cPPz%2FyfSPcyhj7c%3D"
I'm then using curl with the following options to request the page:
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,
'https://api.twitter.com/oauth/
request_token');
curl_setopt($ch, CURLOPT_HTTPHEADER,
$this->build_auth_header());
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
return curl_exec($ch);
If it helps, the full response I'm getting back is:
HTTP/1.1 401 Unauthorized
Date: Fri, 28 May 2010 05:51:30 GMT
Server: hi
Status: 401 Unauthorized
X-Transaction: 1275025890-51043-4802
Last-Modified: Fri, 28 May 2010 05:51:30 GMT
X-Runtime: 0.00185
Content-Type: text/html; charset=utf-8
Content-Length: 44
Pragma: no-cache
X-Revision: DEV
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-
check=0
Set-Cookie: k=1.2.3.4.1275025890583471; path=/; expires=Fri, 04-Jun-10
05:51:30 GMT; domain=.twitter.com
Set-Cookie: guest_id=127502589058847976; path=/; expires=Sun, 27 Jun
2010 05:51:30 GMT
Set-Cookie:
_twitter_sess=BAh7CToRdHJhbnNfcHJvbXB0MDoPY3JlYXRlZF9hdGwrCBwdd90oAToHaWQi
%250AJWM2M2UwNTBlNmJlNjE1MDljYmI0YmVkOWU1M2VlZjUwIgpmbGFzaElDOidB
%250AY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--74c2e797b692435f46c95d28138b58d7a8467acb;
domain=.twitter.com; path=/
Vary: Accept-Encoding
Connection: close
Failed to validate oauth signature and token
Once again, I'm sorry for bothering you all with a relatively trivial
issue, but I greatly appreciate any help you can throw at me.
