Thanks Taylor, yip unfortunately I wrote my oauth code about 18 months
ago, before most of the libraries were out, so there could be anything
wrong. It's probably not 100% spec compliant, which is probably why it
broke.

I've tracked down the issue to the access_token exchange part of the
process. The access token's that I have from before are still working,
just can't get new ones. I've noticed I'm not passing oauth_verifier
back in the request, which could be causing the issue..

Will let you guys know how I get on...

Thanks for the pointers
Dave

On Dec 2, 9:57 pm, Taylor Singletary <taylorsinglet...@twitter.com>
wrote:
> We've corrected a number of long-standing OAuth-related bug fixes -- mainly
> in areas where we more liberal than we should have been when verifying
> signatures.
>
> Here are a few things to verify:
>
> * Verify that you are using your consumer key where the consumer key is
> supposed to go. Compare this to what you see for you app on dev.twitter.com
> * Likewise, verify that you are using your consumer secret where it is
> supposed to go. Compare this to what you see for you app on dev.twitter.com
> * Laugh at the obviousness and absurdity of a check like that. Cry a little
> because we already know some people were doing the wrong thing here,
> especially on end points that didn't require authentication.
> * Verify that your timestamps are in range
> * If you're sending a request to a resource that doesn't require
> authentication but you're including OAuth credentials:
>    - we used to just give you a free pass even if the credentials were
> incorrect. Hey, it doesn't require auth, so why bother checking?
>    - now we check this. if you pass us an OAuth header or anything that
> looks like an OAuth-based request, we will check it for validity, even if
> it's a resource that doesn't require auth.
>
> We haven't changed anything about our actual core signature validation code
> -- what was a valid signature before should be a valid one now. We're just
> checking the validity in more use cases than we were previously, and
> checking other validity points we were flexible with previously.
>
> Taylor
>
> On Thu, Dec 2, 2010 at 1:32 PM, Twitlonger <stu...@abovetheinternet.org>wrote:
>
>
>
>
>
>
>
> > I'm seeing a lot of invalid/expired token errors.
>
> > On Dec 2, 9:21 pm, Dave-twiends <i...@davesumter.com> wrote:
> > > I noticed I've just started getting 401's for all my oAuth requests.
> > > Seems to be happening on more than one site for me.. My application
> > > keys and status still look good..
>
> > > Just wondering if anyone else is having an issue..?
>
> > --
> > Twitter developer documentation and resources:http://dev.twitter.com/doc
> > API updates via Twitter:http://twitter.com/twitterapi
> > Issues/Enhancements Tracker:
> >http://code.google.com/p/twitter-api/issues/list
> > Change your membership to this group:
> >http://groups.google.com/group/twitter-development-talk

-- 
Twitter developer documentation and resources: http://dev.twitter.com/doc
API updates via Twitter: http://twitter.com/twitterapi
Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list
Change your membership to this group: 
http://groups.google.com/group/twitter-development-talk

Reply via email to