Hi Taylor, thanks for your reply. 1) No, clock is pretty much synced. I've come across this advice already and checked it in first place: my oauth_timestamp is "1280250833" and the server responds with header X- Transaction=1280250931-50619-29066 which I suppose includes server-side clock. The difference is 100 ms. 2) Twitter documentation states that either GET or POST is supported, HTTPS or HTTP. I tried every combination (always matching with OAuth base string generation). Tried to set Content-Type header to "application/x-www-form- urlencoded" or "text/plain" or leave it empty. POST body is empty all the times, Content-Length is 0. 3) This same code works fine for two other OAuth-authenticated resources. 4) I received an email response to this posting that other people started to receive this error in their existing applications a day or two ago.
Best regards, Ivan. On Jul 28, 5:35 pm, Taylor Singletary <taylorsinglet...@twitter.com> wrote: > Hi Ivan, > > Everything is working server side, but OAuth is a picky beast sometimes. > > That your signature generation is repeatedly valid is great. You can dismiss > that from the list of things that can go wrong. > > What else could go wrong? > * Your system clock could be considerably behind or ahead of our servers. > We return the current time in a response header to every request. Take that > time, compare it to the clock on your computer and adjust as needed. > * Some other problem with how your request is being issued and sent. Are > you setting a Content-Type header of application/x-www-form-urlencoded? Do > you have any linebreaks in your HTTP header? Are you really sending a POST? > Are you sending any kind of a POST body with the request? > > Taylor > > On Tue, Jul 27, 2010 at 2:28 PM, ivan_m5 <i.mis...@gmail.com> wrote: > > OK, I just substituted sample OAuth parameters found here > >http://dev.twitter.com/pages/auth > > to my application, and I get exactly the same oauth_signature string: > > > key=MCD8BKwGdgPHvAuvgvz4EQpqDAtx89grbuNMRd7Eh98& > > text=POST&https%3A%2F%2Fapi.twitter.com%2Foauth > > %2Frequest_token&oauth_callback%3Dhttp%253A%252F%252Flocalhost > > %253A3005%252Fthe_dance%252Fprocess_callback%253Fservice_provider_id > > %253D11%26oauth_consumer_key%3DGDdmIQH6jhtmLUypg82g%26oauth_nonce > > %3DQP70eNmVz8jvdPevU3oJD2AfF7R7odC2XJcn4XlZJqk%26oauth_signature_method > > %3DHMAC-SHA1%26oauth_timestamp%3D1272323042%26oauth_version%3D1.0 > > DIGEST=8wUi7m5HFQy76nowoCThusfgB+Q= > > > POSThttps://api.twitter.com/oauth/request_token > > Authorization: OAuth realm="https://api.twitter.com/oauth/ > > request_token", > > oauth_consumer_key="GDdmIQH6jhtmLUypg82g", > > oauth_signature_method="HMAC-SHA1", > > oauth_timestamp="1272323042", > > oauth_nonce="QP70eNmVz8jvdPevU3oJD2AfF7R7odC2XJcn4XlZJqk", > > oauth_version="1.0", > > oauth_callback="http%3A%2F%2Flocalhost%3A3005%2Fthe_dance > > %2Fprocess_callback%3Fservice_provider_id%3D11", > > oauth_signature="8wUi7m5HFQy76nowoCThusfgB%2BQ%3D" > > > And the response: > > 401 unauthorized > > X-Transaction=1280265543-37398-24961 > > Failed to validate oauth signature and token > > > So I calculate oauth_signature correctly. > > > Could anyone please confirm everything is fine on server side? > > > Thank you very much. > > > On Jul 27, 9:14 pm, ivan_m5 <i.mis...@gmail.com> wrote: > > > Hi Taylor, > > > Thank you for your prompt reply. > > > Yes, I'm typically not sending oauth_callback in query string. I > > > adapted my example so that it produces exactly the same digest string > > > as tool on hueniverse.com site does. > > > If I remove these parameters from query string and add oauth_callback > > > to Authorization header, > > > then the request looks like: > > > > key=T5GW1w.....ez20Risxc& > > > text=POST&https%3A%2F%2Fapi.twitter.com%2Foauth > > > %2Frequest_token&oauth_callback%3Dhttp%253A%252F%252Flocalhost%252Fx- > > > oauth-mobile-success%252F%26oauth_consumer_key%3Dg4kGtt9OflmGNGfEPQAaw > > > %26oauth_nonce%3D9373543318877%26oauth_signature_method%3DHMAC- > > > SHA1%26oauth_timestamp%3D1280253286%26oauth_version%3D1.0 > > > DIGEST=LXjNC7POr5UvNJkGY1n0kT0eoxI= > > > > POSThttps://api.twitter.com/oauth/request_token > > > Authorization: OAuth realm="https://api.twitter.com/oauth/ > > > request_token", oauth_consumer_key="g4kGtt9OflmGNGfEPQAaw", > > > oauth_signature_method="HMAC-SHA1", oauth_timestamp="1280253286", > > > oauth_nonce="9373543318877", oauth_version="1.0", oauth_callback="http > > > %3A%2F%2Flocalhost%2Fx-oauth-mobile-success%2F", > > > oauth_signature="LXjNC7POr5UvNJkGY1n0kT0eoxI%3D" > > > > but the the response is still > > > 401 unauthorized > > > X-Transaction=1280253382-1460-49113 > > > Failed to validate oauth signature and token > > > > (I'm using temporary application and will reset its consumer secret > > > key shortly, so no need to worry. I'm just trying to provide as much > > > data as possible so that request could be validated if this could help > > > solving issue) > > > > Any ideas? > > > Are there working Twitter apps currently which use OAuth? > > > > Thanks a lot! > > > > On Jul 27, 8:30 pm, Taylor Singletary <taylorsinglet...@twitter.com> > > > wrote: > > > > > Hi Ivan, > > > > > With OAuth you have to choose either to use header-based auth or > > > > query-string auth. Here you're doing both simultaneously. Your POST to > > > > api.twitter.com/oauth/request_token shouldn't include any of the > > oauth_* > > > > parameters. Also worth noting that the force_login=true parameter does > > not > > > > apply to the request token step and should be omitted. > > > > > Hope this helps, > > > > Taylor > > > > > On Tue, Jul 27, 2010 at 10:23 AM, ivan_m5 <i.mis...@gmail.com> wrote: > > > > > Hi everybody, > > > > > > I have my own Objective-C OAuth library. It's working pretty well for > > > > > habrahabr.ru and hyves.nl currently. > > > > > But I'm unable to get it work with Twitter. > > > > > I've come across a lot of postings around here regarding users unable > > > > > to obtain temporary request token. > > > > > > I've validated my request at > > >http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iv-signin... > > > > > and signature is calculated OK. > > > > > > Here's my POST data (adapted so that I can validate request at the > > > > > page above): > > > > > > POST > > >https://api.twitter.com/oauth/request_token?force_login=true&oauth_ca... > > > > > consumer_secret="T5GW1wAGewlFY9CIyYXmYvGApQQHM3cez20Risxc" > > > > > base_string=POST&https%3A%2F%2Fapi.twitter.com%2Foauth > > > > > %2Frequest_token&force_login%3Dtrue%26oauth_callback%3Dhttp%253A%252F > > > > > %252Flocalhost%252Fx-oauth-mobile-success%252F%26oauth_consumer_key > > > > > %3Dg4kGtt9OflmGNGfEPQAaw%26oauth_nonce > > > > > %3D37071428662683%26oauth_signature_method%3DHMAC- > > > > > SHA1%26oauth_timestamp%3D1280250833%26oauth_token%3D%26oauth_version > > > > > %3D1.0 > > > > > DIGEST=eZg+qEBXeFDSfFq6Chxyt9/3pvU= > > > > > > And the header: > > > > > Authorization: OAuth realm="https://api.twitter.com/oauth/ > > > > > request_token", oauth_consumer_key="g4kGtt9OflmGNGfEPQAaw", > > > > > oauth_token="", oauth_signature_method="HMAC-SHA1", > > > > > oauth_timestamp="1280250833", oauth_nonce="37071428662683", > > > > > oauth_version="1.0", oauth_signature="eZg%2BqEBXeFDSfFq6Chxyt9%2F3pvU > > > > > %3D" > > > > > > And the response is: > > > > > ========================================= > > > > > 401 unauthorized > > > > > Server=hi > > > > > Vary=Accept-Encoding > > > > > Last-Modified=Tue, 27 Jul 2010 17:15:31 GMT > > > > > Cache-Control=no-cache, no-store, must-revalidate, pre-check=0, post- > > > > > check=0 > > > > > X-Revision=DEV > > > > > Status=401 Unauthorized > > > > > Date=Tue, 27 Jul 2010 17:15:31 GMT > > > > > Expires=Tue, 31 Mar 1981 05:00:00 GMT > > > > > Pragma=no-cache > > > > > X-Runtime=0.00686 > > > > > X-Transaction=1280250931-50619-29066 > > > > > Set- > > > Cookie=_twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCNrj5hQqASIKZmxhc2hJQzonQWN0aW9uQ29u > > > > > %250AdHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoHaWQiJWUx > > > > > %250ANTY3YmQ0MTdmOGY3ZDQxMWY1NDNjNDIzOThmNDRl-- > > > > > eeba367f81559ae97d63fddfa8df09251ceab44f; domain=.twitter.com; > > path=/ > > > > > Content-Encoding=gzip > > > > > Content-Length=62 > > > > > Content-Type=text/html; charset=utf-8 > > > > > Connection=close > > > > > > Failed to validate oauth signature and token > > > > > ========================================= > > > > > > Are there issues on server-side? Thanks in advance. > >