I am developing a link to Twitter from a desktop application - it's a
client/server application that runs on Windows.  We have many clients
using the software, each with anywhere from 1 to several hundred
users.  The brief is to allow an administrator to enter one or more
Twitter accounts in to the database so that the individual users can
post updates to any of the accounts without having to know the
authentication details.

We have permanent xAuth access token exchange with the Twitter API.
When a client administrator enters a Twitter account in to the
database, they will enter the user name and password - my code will
then immediately hit the API and exchange these for an access token
which will then be stored in the database ready to be used when a user
wants to post a status update.

Trouble is I am having some problems with the http call that exchanges
a user name and password for an access token, so any help and advice
would be appreciated.  I am developing in Delphi 7 but the https calls
are made from a C# .NET 2.0 ComVisible class library which uses
WebRequest/WebResponse.  I am also using Fiddler 2 to view the

Ok, an example.  Here is my base signature (if I have the terminology
correct) - I have obfuscated any sensitive data:


I then create the signature of this using HMAC SHA1 and the Twitter
xAuth signing secret which gives me:

Finally I create my Authorisation header for the http request which
comes out like this:

Authorization: OAuth oauth_consumer_key="XXXXXXXXXXXXXXXXXXXX",
oauth_signature_method="HMAC-SHA1", oauth_timestamp="1278669373",

Now, if I am correct I am ready to post (to 
so I add the header but I am unclear as to whether I need to post the
base signature string with it or whether this is discarded once the
Authorisation header has been created, so I have tried both.  The
header is sent in each request but one request also sends the base
signature in the SendStream where as the other request posts no data
at all (but has the header).

Header only returns an error: The remote server returned an error:
(401) Unauthorized

Header and data returns an error: The remote server returned an error:
(417) Expectation Failed

The second call (header and data) is interesting because when you view
the traffic in Fiddler 2 I see the following headers:

Cookies / Login
  Authorization: OAuth oauth_consun=mer_key=".............
  Content-Length: 337
  Content-Type: application/x-www-form-urlencoded
  Connection: Keep-Alive
  Expect: 100-continue
  Host: api.twitter.com

and yet looking at the response:

<title>417 Expectation Failed</title>
<h1>Expectation Failed</h1>
<p>The expectation given in the Expect request-header
field could not be met by this server.</p>
<p>The client sent<pre>
    Expect: 100-continue
but we only allow the 100-continue expectation.</p>

So a 100-continue was sent which is the only thing allowed and yet it
is complaining about it?!

As I mentioned, any help or advice would be very welcome.


Reply via email to