Hi again, I made a "real" request this time because in the previous one, I couldn't control the nonce and timestamp generation directly so I copy- pasted the code it used and modified it a bit. This is the "real" generated data which has a non-mock nonce and timestamp.
Timestamp: "1277742686" Nonce: "ufywbndxv0qevuh0" Base String: POST&http%3A%2F%2Fstream.twitter.com%2F1%2Fstatuses %2Ffilter.json&follow%3D156934710%26oauth_consumer_key %3DTwitterConsumerKey%26oauth_nonce %3Dufywbndxv0qevuh0%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1277742686%26oauth_token%3DTwitterAccessToken %26oauth_version%3D1.0%26source%3DWildfire%2520by%2520Implication Signature: YRXJUMYs0bRzkDZSTXesGfIWhQ8%3D Packet Capture: - Http: Request, POST /1/statuses/filter.json , Using OAuth Authorization Command: POST + URI: /1/statuses/filter.json ProtocolVersion: HTTP/1.1 - Authorization: OAuth + Authorization: OAuth oauth_consumer_key="TwitterConsumerKey",oauth_token="TwitterAccessToken",oauth_nonce="ufywbndxv0qevuh0",oauth_timestamp="1277742686",oauth_signature_method="HMAC- SHA1",oauth_signature="YRXJUMYs0bRzkDZSTXesGfIWhQ8%3D",oauth_version="1.0", + ContentType: application/x-www-form-urlencoded Host: stream.twitter.com ContentLength: 51 - Http: HTTP Payload, URL: /1/statuses/filter.json - payload: HttpContentType = application/x-www-form-urlencoded source: Wildfire%20by%20Implication follow: 156934710 It still looks correct though... Regards, Wil On Jun 29, 12:21 am, Wil <willi...@gmail.com> wrote: > Hi, > > I got exactly the same values: > > Base string: > POST&http%3A%2F%2Fstream.twitter.com%2F1%2Fstatuses > %2Ffilter.json&follow%3D156934710%26oauth_consumer_key > %3DTwitterConsumerKey%26oauth_nonce%3Dabcdefgh%26oauth_signature_method > %3DHMAC-SHA1%26oauth_timestamp%3D1277739588%26oauth_token > %3DTwitterAccessToken%26oauth_version%3D1.0%26source%3DWildfire%2520by > %2520Implication > > Signature (escaped): > rYGiA6H2UXog0nYOzTeUKwJSssM%3D > > Authorization Header: > oauth_consumer_key="TwitterConsumerKey",oauth_token="TwitterAccessToken",oa > uth_nonce="abcdefgh",oauth_timestamp="1277739588",oauth_signature_method="H > MAC- > SHA1",oauth_signature="rYGiA6H2UXog0nYOzTeUKwJSssM > %3D",oauth_version="1.0" > > Post content: > source=Wildfire%20by%20Implication&follow=156934710 > > On Jun 28, 11:45 pm, Taylor Singletary <taylorsinglet...@twitter.com> > wrote: > > > > > Let's start from a common point. By using the same inputs, we can try and > > meet in the middle with exactly the same signature, signature base string, > > and authorization header. > > > Using the following values: > > Consumer Key: TwitterConsumerKey > > Consumer Secret: TwitterConsumerSecret > > Access Token: TwitterAccessToken > > Access Token Secret: TwitterAccessTokenScret > > OAuth Nonce: abcdefgh > > OAuth Timestamp: 1277739588 > > > URL:http://stream.twitter.com/1/statuses/filter.json > > > POST Body: > > follow=156934710&source=Wildfire%20by%20Implication > > > Assuming these exact values, the following should be the result: > > > POST body: > > follow=156934710&source=Wildfire%20by%20Implication > > > Signature Base String: > > POST&http%3A%2F%2Fstream.twitter.com > > %2F1%2Fstatuses%2Ffilter.json&follow%3D156934710%26oauth_consumer_key%3DTwi > > tterConsumerKey%26oauth_nonce%3Dabcdefgh%26oauth_signature_method%3DHMAC-SH > > A1%26oauth_timestamp%3D1277739588%26oauth_token%3DTwitterAccessToken%26oaut > > h_version%3D1.0%26source%3DWildfire%2520by%2520Implication > > > Signing Secret > > TwitterConsumerSecret&TwitterAccessTokenSecret > > > Signature > > rYGiA6H2UXog0nYOzTeUKwJSssM= > > > Authorization Header > > OAuth oauth_nonce="abcdefgh", oauth_signature_method="HMAC-SHA1", > > oauth_timestamp="1277739588", oauth_consumer_key="TwitterConsumerKey", > > oauth_token="TwitterAccessToken", > > oauth_signature="rYGiA6H2UXog0nYOzTeUKwJSssM%3D", oauth_version="1.0" > > > Using these values do you get the same signature and other values? > > > Taylor > > > On Mon, Jun 28, 2010 at 8:21 AM, Wil <willi...@gmail.com> wrote: > > > Oh wait, it does include them I just missed it. > > > > So much for premature celebration... > > > > On Jun 28, 11:10 pm, Wil <willi...@gmail.com> wrote: > > > > The thing wasn't including the POST parameters in the signing! I think > > > > I got it! > > > > > On Jun 28, 10:54 pm, Wil <willi...@gmail.com> wrote: > > > > > > Ah wait, I ran a couple more tests just to be sure and the signatures > > > > > match the sent sniffed one.... guess I missed something previously... > > > > > > Base: > > > > > POST&http%3A%2F%2Fstream.twitter.com%2F1%2Fstatuses > > > > > %2Ffilter.json&follow%3D156934710%26oauth_consumer_key > > > > > %3DrHYIlqotmSfiGc6OfFtw%26oauth_nonce%3Deodjuo8ystdcyl3f > > > > > %26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp > > > > > %3D1277736634%26oauth_token%3D156934710- > > > > > J4HkTzZOaHk7ZBnXPzmqopoQS9pm2NjDJmMDEw4E%26oauth_version%3D1.0%26source > > > > > %3DWildfire%2520by%2520Implication > > > > > > Signature: > > > > > nt%2F5itdHGoVr8gRloaBOakSmUbM%3D > > > > > > Sent: > > > > > oauth_consumer_key="rHYIlqotmSfiGc6OfFtw" > > > > > oauth_token="156934710-J4HkTzZOaHk7ZBnXPzmqopoQS9pm2NjDJmMDEw4E" > > > > > oauth_nonce="eodjuo8ystdcyl3f" > > > > > oauth_timestamp="1277736634" > > > > > oauth_signature_method="HMAC-SHA1" > > > > > oauth_signature="nt%2F5itdHGoVr8gRloaBOakSmUbM%3D" > > > > > oauth_version="1.0" > > > > > > On Jun 28, 10:35 pm, Wil <willi...@gmail.com> wrote: > > > > > > > Hi Taylor, > > > > > > > Ok. Here's the entire thing: > > > > > > > Generated base string: > > > > > > POST&http%3A%2F%2Fstream.twitter.com%2F1%2Fstatuses > > > > > > %2Ffilter.json&follow%3D156934710%26oauth_consumer_key > > > > > > %3DrHYIlqotmSfiGc6OfFtw%26oauth_nonce > > > > > > %3Dmvzi5szav5dciif4%26oauth_signature_method%3DHMAC- > > > > > > SHA1%26oauth_timestamp%3D1277735188%26oauth_token%3D156934710- > > > > J4HkTzZOaHk7ZBnXPzmqopoQS9pm2NjDJmMDEw4E%26oauth_version%3D1.0%26source > > > > > > %3DWildfire%2520by%2520Implication > > > > > > > calculated signature: %2FgqbnKcwmnpFMGnqNUK3kr6waI0%3D > > > > > > > Sniffed authorization header: > > > > > > oauth_consumer_key="rHYIlqotmSfiGc6OfFtw" > > > > > > oauth_token="156934710-J4HkTzZOaHk7ZBnXPzmqopoQS9pm2NjDJmMDEw4E" > > > > > > oauth_nonce="6qzbdouhrz40dqs4" > > > > > > oauth_timestamp="1277735291" > > > > > > oauth_signature_method="HMAC-SHA1" > > > > > > oauth_signature="2yRkYN7j8YpS0%2FgrFSNKnoCrk7Y%3D" > > > > > > oauth_version="1.0" > > > > > > > You're right, something seems to be wrong with the signature. I'll > > > > > > continue to investigate this.... > > > > > > > Regards, > > > > > > Wil > > > > > > On Jun 28, 10:23 pm, Taylor Singletary <taylorsinglet...@twitter.com > > > > > > > wrote: > > > > > > > > Wil: Can you retrieve the signature base string (again, from your > > > current > > > > > > > work) from your library when attempting the call that returns 401? > > > There > > > > > > > must be something minor going amiss there with this parameter for > > > some > > > > > > > reason. > > > > > > > > Thanks, > > > > > > > Taylor > > > > > > > > On Sat, Jun 26, 2010 at 12:08 PM, John Kalucki <j...@twitter.com> > > > wrote: > > > > > > > > An invalid delimited parameter is ignored, and won't cause a > > > > > > > > 401. > > > > > > > > > On Sat, Jun 26, 2010 at 2:04 AM, Wil <willi...@gmail.com> wrote: > > > > > > > > >> Hi, > > > > > > > > >> @John: I removed the delimited=1 parameter and it still gave me > > > 401's. > > > > > > > > >> @Taylor: I checked my system clock and does not differ from the > > > server > > > > > > > >> time by more than 5 minutes. > > > > > > > >> The code works with the following which I've used: > > > > > > > >> 1)OAuthauthentication methods > > > > > > > >> 2) statuses/user_timeline > > > > > > > >> 3) 1/favorites/create > > > > > > > > >> (3) is a bit wierd since TweetSharp sends favorite requests in > > > this > > > > > > > >> form: > > > > > > > >>http://api.twitter.com/1/favorites/create/######.json > > > > > > > > >> and the POST body contains this: > > > > > > > >> source=Wildfire%20by%20Implication > > > > > > > > >> Yet it still works. I haven't tried other things in TweetSharp > > > that > > > > > > > >> does POST though. > > > > > > > >> I thought that it was probably the read/write permissions > > > > > > > >> that's > > > > > > > >> causing the problem because I initially set the App as > > > > > > > >> read-only > > > (I > > > > > > > >> changed it to write-access when I implemented the favorite). I > > > then > > > > > > > >> recreated the client information with read&write access. So I > > > guess > > > > > > > >> permissions weren't the problem. > > > > > > > > >> I did some packet sniffing to be extra sure that it's sending > > > the data > > > > > > > >> as POST... and I got this: (using Microsoft NetMon 3.3) > > > > > > > >> - Http: Request, POST /1/statuses/filter.json , UsingOAuth > > > > > > > >> Authorization > > > > > > > >> Command: POST > > > > > > > >> + URI: /1/statuses/filter.json > > > > > > > >> ProtocolVersion: HTTP/1.1 > > > > > > > >> - Authorization:OAuth > > > > > > > >> - Authorization: OAuth > > > > > > > >> oauth_consumer_key="######",oauth_token="34216267- > > > > BDNO9E9Ayd3IDnzRsDgU0wwwcuxO3trNecmblpNQo",oauth_nonce="d8qtvqz2sefipbsu",o > > > auth_timestamp="1277542341",oauth_signature_method="HMAC- > > > > > > > >> SHA1",oauth_signature="PeKBoS3uYgL9p7oJ%2 > > > > > > > >> WhiteSpace: > > > > > > > >> AuthorizationData:OAuth > > > > > > > >> oauth_consumer_key="#######",oauth_token="34216267- > > > > BDNO9E9Ayd3IDnzRsDgU0wwwcuxO3trNecmblpNQo",oauth_nonce="d8qtvqz2sefipbsu",o > > > auth_timestamp="1277542341",oauth_signature_method="HMAC- > > > > > > > >> SHA1",oauth_signature="PeKBoS3uYgL9p7o > > > > > > > >> + ContentType: application/x-www-form-urlencoded > > > > > > > >> Host: stream.twitter.com > > > > > > > >> ContentLength: 51 > > > > > > > >> Connection: Keep-Alive > > > > > > > >> HeaderEnd: CRLF > > > > > > > > >> The next frame was the HTTP payload > > > > > > > >> - Http: HTTP Payload, URL: /1/statuses/filter.json > > > > > > > >> - payload: HttpContentType = > > > > > > > >> application/x-www-form-urlencoded > > > > > > > >> source: softwarename > > > > > > > >> follow: ########### > > > > > > > > >> On Jun 26, 5:50 am, Taylor Singletary < > > > taylorsinglet...@twitter.com> > > > > > > > >> wrote: > > > > > > > >> > Wil, > > > > > > > > >> > Does yourOAuthcode work against other aspects of the Twitter > > > API? Can > > > > > > > >> you > > > > > > > >> > verify if your system's clock is within 5 minutes or so of > > > > > > > >> > the > > > times > > > > > > > >> > returned by our system? (You can see the current server time > > > in an HTTP > > > > > > > >> > header of any of our responses). > > > > > > > > >> > Are you sure that your code is actually POSTing the POST body > > > along with > > > > > > > >> the > > > > > > > >> > request? > > > > > > > > >> > Seems like you are really close. > > > > > > > > >> > On Fri, Jun 25, 2010 at 10:10 AM, Wil <willi...@gmail.com> > > > wrote: > > > > > > > >> > > Hi John, > > > > > > > > >> > > Uhh, care to elaborate? I don't quite get what you meant... > > > > > > > > >> > > Thanks, > > > > > > > >> > > Wil > > > > > > > > >> > > On Jun 24, 11:17 pm, John Kalucki <j...@twitter.com> wrote: > > > > > > > >> > > > Aside from theoAuthissue, which others can address, the > > > only valid > > > > > > > >> > > > delimited value is length. > > > > > > > > >> > > > -John > > > > > > > > >> > > > On Thu, Jun 24, 2010 at 7:58 AM, Wil <willi...@gmail.com> > > > wrote:... > > read more »