Hi Colin,

Right now we report nonce errors in a few cases -- not all of them having
much to do with nonces unfortunately.

Check that the clock on the machines you are executing this on are within 5
minutes of the clock on api.twitter.com -- one easy way to do this before
you even start making OAuth-based requests is to send a HTTP HEAD request to
http://api.twitter.com/1/help/test.xml -- you'll get a "Date" HTTP header,
which you can consume and compare against the system clock in your
environment, adjusting the time as necessary when creating your
oauth_timestamp such that it's as close to as in sync with our systems as

Additionally, you'll want to avoid oauth_nonce values with any kind of
non-alpha-numeric characters, and generally strive to keep them globally
unique across all possible instances of your application.

If you adjust your clock and ensure these truths about your oauth_nonce, and
are still having issues -- we'll explore other reasons it might be invalid.


On Tue, Aug 17, 2010 at 7:19 AM, Tom van der Woerdt <i...@tvdw.eu> wrote:

> On 8/17/10 5:35 AM, Colin Hill wrote:
> > I ran into an issue when authenticating via OAuth, using the
> > token/secret pair offered for one of my apps, on the dev site (example)
> > http://dev.twitter.com/apps/12345/my_token
> >
> > we use the perl OAuth::Lite::Consumer module and have no difficulty
> > authenticating using the typical dance for our user facing web app, but
> > when migrating a cron job from basic to OAuth, using the generated token
> > pair as above, we now consistently get the following error:
> >
> > 401 Unauthorized
> > {"request":"/1/account/verify_credentials.json","error":"Invalid / used
> > nonce"}
> >
> > the passed OAuth Parameters are (consumer key redacted):
> >
> > $VAR1 = {
> >           'oauth_signature' => 'uHd1S9mCVG/dGNaHCFbl8vLHh2s=',
> >           'oauth_timestamp' => 1282000377,
> >           'oauth_consumer_key' => 'xxxxxxxxxxxxxxxxxxxxxxx',
> >           'oauth_nonce' => '95881ba3c50fa67a54fb',
> >           'oauth_version' => '1.0',
> >           'oauth_signature_method' => 'HMAC-SHA1'
> >         };
> >
> > I'm reasonably sure that this all worked when I wrote and tested it
> > three weeks back, but when I went to roll it into our cron job this
> > afternoon, authentication consistently fails. I wonder if anyone on the
> > list has seen a similar change in behavior, and/or could offer some
> > advice as to what might generate this error. Thanks.
> >
> >   -- Colin
> Hi Colin,
> Quoting RFC 5849 (OAuth 1.0) :
>   A nonce is a random string, uniquely generated by the client to allow
>   the server to verify that a request has never been made before and
>   helps prevent replay attacks when requests are made over a non-secure
>   channel.  The nonce value MUST be unique across all requests with the
>   same timestamp, client credentials, and token combinations.
> In other words, it has to be unique.
> I'm not entirely sure, but I *think* that Twitter's implementation of
> this says that it has to be unique, but you can re-use it after 10
> minutes. That might explain why it worked before.
> Tom

Reply via email to