Hi again,
I made a "real" request this time because in the previous one, I
couldn't control the nonce and timestamp generation directly so I copy-
pasted the code it used and modified it a bit. This is the "real"
generated data which has a non-mock nonce and timestamp.
Timestamp: "1277742686"
Nonce: "ufywbndxv0qevuh0"
Base String:
POST&http%3A%2F%2Fstream.twitter.com%2F1%2Fstatuses
%2Ffilter.json&follow%3D156934710%26oauth_consumer_key
%3DTwitterConsumerKey%26oauth_nonce
%3Dufywbndxv0qevuh0%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1277742686%26oauth_token%3DTwitterAccessToken
%26oauth_version%3D1.0%26source%3DWildfire%2520by%2520Implication
Signature:
YRXJUMYs0bRzkDZSTXesGfIWhQ8%3D
Packet Capture:
- Http: Request, POST /1/statuses/filter.json , Using OAuth
Authorization
Command: POST
+ URI: /1/statuses/filter.json
ProtocolVersion: HTTP/1.1
- Authorization: OAuth
+ Authorization: OAuth
oauth_consumer_key="TwitterConsumerKey",oauth_token="TwitterAccessToken",oauth_nonce="ufywbndxv0qevuh0",oauth_timestamp="1277742686",oauth_signature_method="HMAC-
SHA1",oauth_signature="YRXJUMYs0bRzkDZSTXesGfIWhQ8%3D",oauth_version="1.0",
+ ContentType: application/x-www-form-urlencoded
Host: stream.twitter.com
ContentLength: 51
- Http: HTTP Payload, URL: /1/statuses/filter.json
- payload: HttpContentType = application/x-www-form-urlencoded
source: Wildfire%20by%20Implication
follow: 156934710
It still looks correct though...
Regards,
Wil
On Jun 29, 12:21 am, Wil <willi...@gmail.com> wrote:
> Hi,
>
> I got exactly the same values:
>
> Base string:
> POST&http%3A%2F%2Fstream.twitter.com%2F1%2Fstatuses
> %2Ffilter.json&follow%3D156934710%26oauth_consumer_key
> %3DTwitterConsumerKey%26oauth_nonce%3Dabcdefgh%26oauth_signature_method
> %3DHMAC-SHA1%26oauth_timestamp%3D1277739588%26oauth_token
> %3DTwitterAccessToken%26oauth_version%3D1.0%26source%3DWildfire%2520by
> %2520Implication
>
> Signature (escaped):
> rYGiA6H2UXog0nYOzTeUKwJSssM%3D
>
> Authorization Header:
> oauth_consumer_key="TwitterConsumerKey",oauth_token="TwitterAccessToken",oa
> uth_nonce="abcdefgh",oauth_timestamp="1277739588",oauth_signature_method="H
> MAC-
> SHA1",oauth_signature="rYGiA6H2UXog0nYOzTeUKwJSssM
> %3D",oauth_version="1.0"
>
> Post content:
> source=Wildfire%20by%20Implication&follow=156934710
>
> On Jun 28, 11:45 pm, Taylor Singletary <taylorsinglet...@twitter.com>
> wrote:
>
>
>
> > Let's start from a common point. By using the same inputs, we can try and
> > meet in the middle with exactly the same signature, signature base string,
> > and authorization header.
>
> > Using the following values:
> > Consumer Key: TwitterConsumerKey
> > Consumer Secret: TwitterConsumerSecret
> > Access Token: TwitterAccessToken
> > Access Token Secret: TwitterAccessTokenScret
> > OAuth Nonce: abcdefgh
> > OAuth Timestamp: 1277739588
>
> > URL:http://stream.twitter.com/1/statuses/filter.json
>
> > POST Body:
> > follow=156934710&source=Wildfire%20by%20Implication
>
> > Assuming these exact values, the following should be the result:
>
> > POST body:
> > follow=156934710&source=Wildfire%20by%20Implication
>
> > Signature Base String:
> > POST&http%3A%2F%2Fstream.twitter.com
> > %2F1%2Fstatuses%2Ffilter.json&follow%3D156934710%26oauth_consumer_key%3DTwi
> > tterConsumerKey%26oauth_nonce%3Dabcdefgh%26oauth_signature_method%3DHMAC-SH
> > A1%26oauth_timestamp%3D1277739588%26oauth_token%3DTwitterAccessToken%26oaut
> > h_version%3D1.0%26source%3DWildfire%2520by%2520Implication
>
> > Signing Secret
> > TwitterConsumerSecret&TwitterAccessTokenSecret
>
> > Signature
> > rYGiA6H2UXog0nYOzTeUKwJSssM=
>
> > Authorization Header
> > OAuth oauth_nonce="abcdefgh", oauth_signature_method="HMAC-SHA1",
> > oauth_timestamp="1277739588", oauth_consumer_key="TwitterConsumerKey",
> > oauth_token="TwitterAccessToken",
> > oauth_signature="rYGiA6H2UXog0nYOzTeUKwJSssM%3D", oauth_version="1.0"
>
> > Using these values do you get the same signature and other values?
>
> > Taylor
>
> > On Mon, Jun 28, 2010 at 8:21 AM, Wil <willi...@gmail.com> wrote:
> > > Oh wait, it does include them I just missed it.
>
> > > So much for premature celebration...
>
> > > On Jun 28, 11:10 pm, Wil <willi...@gmail.com> wrote:
> > > > The thing wasn't including the POST parameters in the signing! I think
> > > > I got it!
>
> > > > On Jun 28, 10:54 pm, Wil <willi...@gmail.com> wrote:
>
> > > > > Ah wait, I ran a couple more tests just to be sure and the signatures
> > > > > match the sent sniffed one.... guess I missed something previously...
>
> > > > > Base:
> > > > > POST&http%3A%2F%2Fstream.twitter.com%2F1%2Fstatuses
> > > > > %2Ffilter.json&follow%3D156934710%26oauth_consumer_key
> > > > > %3DrHYIlqotmSfiGc6OfFtw%26oauth_nonce%3Deodjuo8ystdcyl3f
> > > > > %26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp
> > > > > %3D1277736634%26oauth_token%3D156934710-
> > > > > J4HkTzZOaHk7ZBnXPzmqopoQS9pm2NjDJmMDEw4E%26oauth_version%3D1.0%26source
> > > > > %3DWildfire%2520by%2520Implication
>
> > > > > Signature:
> > > > > nt%2F5itdHGoVr8gRloaBOakSmUbM%3D
>
> > > > > Sent:
> > > > > oauth_consumer_key="rHYIlqotmSfiGc6OfFtw"
> > > > > oauth_token="156934710-J4HkTzZOaHk7ZBnXPzmqopoQS9pm2NjDJmMDEw4E"
> > > > > oauth_nonce="eodjuo8ystdcyl3f"
> > > > > oauth_timestamp="1277736634"
> > > > > oauth_signature_method="HMAC-SHA1"
> > > > > oauth_signature="nt%2F5itdHGoVr8gRloaBOakSmUbM%3D"
> > > > > oauth_version="1.0"
>
> > > > > On Jun 28, 10:35 pm, Wil <willi...@gmail.com> wrote:
>
> > > > > > Hi Taylor,
>
> > > > > > Ok. Here's the entire thing:
>
> > > > > > Generated base string:
> > > > > > POST&http%3A%2F%2Fstream.twitter.com%2F1%2Fstatuses
> > > > > > %2Ffilter.json&follow%3D156934710%26oauth_consumer_key
> > > > > > %3DrHYIlqotmSfiGc6OfFtw%26oauth_nonce
> > > > > > %3Dmvzi5szav5dciif4%26oauth_signature_method%3DHMAC-
> > > > > > SHA1%26oauth_timestamp%3D1277735188%26oauth_token%3D156934710-
>
> > > J4HkTzZOaHk7ZBnXPzmqopoQS9pm2NjDJmMDEw4E%26oauth_version%3D1.0%26source
> > > > > > %3DWildfire%2520by%2520Implication
>
> > > > > > calculated signature: %2FgqbnKcwmnpFMGnqNUK3kr6waI0%3D
>
> > > > > > Sniffed authorization header:
> > > > > > oauth_consumer_key="rHYIlqotmSfiGc6OfFtw"
> > > > > > oauth_token="156934710-J4HkTzZOaHk7ZBnXPzmqopoQS9pm2NjDJmMDEw4E"
> > > > > > oauth_nonce="6qzbdouhrz40dqs4"
> > > > > > oauth_timestamp="1277735291"
> > > > > > oauth_signature_method="HMAC-SHA1"
> > > > > > oauth_signature="2yRkYN7j8YpS0%2FgrFSNKnoCrk7Y%3D"
> > > > > > oauth_version="1.0"
>
> > > > > > You're right, something seems to be wrong with the signature. I'll
> > > > > > continue to investigate this....
>
> > > > > > Regards,
> > > > > > Wil
> > > > > > On Jun 28, 10:23 pm, Taylor Singletary <taylorsinglet...@twitter.com
>
> > > > > > wrote:
>
> > > > > > > Wil: Can you retrieve the signature base string (again, from your
> > > current
> > > > > > > work) from your library when attempting the call that returns 401?
> > > There
> > > > > > > must be something minor going amiss there with this parameter for
> > > some
> > > > > > > reason.
>
> > > > > > > Thanks,
> > > > > > > Taylor
>
> > > > > > > On Sat, Jun 26, 2010 at 12:08 PM, John Kalucki <j...@twitter.com>
> > > wrote:
> > > > > > > > An invalid delimited parameter is ignored, and won't cause a
> > > > > > > > 401.
>
> > > > > > > > On Sat, Jun 26, 2010 at 2:04 AM, Wil <willi...@gmail.com> wrote:
>
> > > > > > > >> Hi,
>
> > > > > > > >> @John: I removed the delimited=1 parameter and it still gave me
> > > 401's.
>
> > > > > > > >> @Taylor: I checked my system clock and does not differ from the
> > > server
> > > > > > > >> time by more than 5 minutes.
> > > > > > > >> The code works with the following which I've used:
> > > > > > > >> 1)OAuthauthentication methods
> > > > > > > >> 2) statuses/user_timeline
> > > > > > > >> 3) 1/favorites/create
>
> > > > > > > >> (3) is a bit wierd since TweetSharp sends favorite requests in
> > > this
> > > > > > > >> form:
> > > > > > > >>http://api.twitter.com/1/favorites/create/######.json
>
> > > > > > > >> and the POST body contains this:
> > > > > > > >> source=Wildfire%20by%20Implication
>
> > > > > > > >> Yet it still works. I haven't tried other things in TweetSharp
> > > that
> > > > > > > >> does POST though.
> > > > > > > >> I thought that it was probably the read/write permissions
> > > > > > > >> that's
> > > > > > > >> causing the problem because I initially set the App as
> > > > > > > >> read-only
> > > (I
> > > > > > > >> changed it to write-access when I implemented the favorite). I
> > > then
> > > > > > > >> recreated the client information with read&write access. So I
> > > guess
> > > > > > > >> permissions weren't the problem.
>
> > > > > > > >> I did some packet sniffing to be extra sure that it's sending
> > > the data
> > > > > > > >> as POST... and I got this: (using Microsoft NetMon 3.3)
> > > > > > > >> - Http: Request, POST /1/statuses/filter.json , UsingOAuth
> > > > > > > >> Authorization
> > > > > > > >> Command: POST
> > > > > > > >> + URI: /1/statuses/filter.json
> > > > > > > >> ProtocolVersion: HTTP/1.1
> > > > > > > >> - Authorization:OAuth
> > > > > > > >> - Authorization: OAuth
> > > > > > > >> oauth_consumer_key="######",oauth_token="34216267-
>
> > > BDNO9E9Ayd3IDnzRsDgU0wwwcuxO3trNecmblpNQo",oauth_nonce="d8qtvqz2sefipbsu",o
> > > auth_timestamp="1277542341",oauth_signature_method="HMAC-
> > > > > > > >> SHA1",oauth_signature="PeKBoS3uYgL9p7oJ%2
> > > > > > > >> WhiteSpace:
> > > > > > > >> AuthorizationData:OAuth
> > > > > > > >> oauth_consumer_key="#######",oauth_token="34216267-
>
> > > BDNO9E9Ayd3IDnzRsDgU0wwwcuxO3trNecmblpNQo",oauth_nonce="d8qtvqz2sefipbsu",o
> > > auth_timestamp="1277542341",oauth_signature_method="HMAC-
> > > > > > > >> SHA1",oauth_signature="PeKBoS3uYgL9p7o
> > > > > > > >> + ContentType: application/x-www-form-urlencoded
> > > > > > > >> Host: stream.twitter.com
> > > > > > > >> ContentLength: 51
> > > > > > > >> Connection: Keep-Alive
> > > > > > > >> HeaderEnd: CRLF
>
> > > > > > > >> The next frame was the HTTP payload
> > > > > > > >> - Http: HTTP Payload, URL: /1/statuses/filter.json
> > > > > > > >> - payload: HttpContentType =
> > > > > > > >> application/x-www-form-urlencoded
> > > > > > > >> source: softwarename
> > > > > > > >> follow: ###########
>
> > > > > > > >> On Jun 26, 5:50 am, Taylor Singletary <
> > > taylorsinglet...@twitter.com>
> > > > > > > >> wrote:
> > > > > > > >> > Wil,
>
> > > > > > > >> > Does yourOAuthcode work against other aspects of the Twitter
> > > API? Can
> > > > > > > >> you
> > > > > > > >> > verify if your system's clock is within 5 minutes or so of
> > > > > > > >> > the
> > > times
> > > > > > > >> > returned by our system? (You can see the current server time
> > > in an HTTP
> > > > > > > >> > header of any of our responses).
>
> > > > > > > >> > Are you sure that your code is actually POSTing the POST body
> > > along with
> > > > > > > >> the
> > > > > > > >> > request?
>
> > > > > > > >> > Seems like you are really close.
>
> > > > > > > >> > On Fri, Jun 25, 2010 at 10:10 AM, Wil <willi...@gmail.com>
> > > wrote:
> > > > > > > >> > > Hi John,
>
> > > > > > > >> > > Uhh, care to elaborate? I don't quite get what you meant...
>
> > > > > > > >> > > Thanks,
> > > > > > > >> > > Wil
>
> > > > > > > >> > > On Jun 24, 11:17 pm, John Kalucki <j...@twitter.com> wrote:
> > > > > > > >> > > > Aside from theoAuthissue, which others can address, the
> > > only valid
> > > > > > > >> > > > delimited value is length.
>
> > > > > > > >> > > > -John
>
> > > > > > > >> > > > On Thu, Jun 24, 2010 at 7:58 AM, Wil <willi...@gmail.com>
> > > wrote:...
>
> read more »
