401 error when using oAuth tool?


#1

Hi All

I’m brand new to oAuth

I’ve setup a test application, set it to Read, Write and Access direct messages

Use the oAuth tool to generate this


curl --get ‘https://api.twitter.com/oauth/request_token’ --header ‘Authorization: OAuth oauth_consumer_key=“Z0p8k1pspBWrqNlV2VtVFQ”, oauth_nonce=“82c90b7b5202a42442b4714f1f0296a2”, oauth_signature="%2FIVN%2FG7jlcJj6MVwU9UGyC8Tl3g%3D", oauth_signature_method=“HMAC-SHA1”, oauth_timestamp=“1348759273”, oauth_token=“757341968-Y3XSMCeM9PWJ1GW8hqDMGItbMeNSVShZAb2rHRng”, oauth_version=“1.0”’ --verbose


edit it slightly to this (remove quotes and add -k option to get over certificate problem)


curl -k --get https://api.twitter.com/oauth/request_token --header “Authorization: OAuth oauth_consumer_key=Z0p8k1pspBWrqNlV2VtVFQ, oauth_nonce=82c90b7b5202a42442b4714f1f0296a2, oauth_signature=%2FIVN%2FG7jlcJj6MVwU9UGyC8Tl3g%3D, oauth_signature_method=HMAC-SHA1, oauth_timestamp=1348759273, oauth_token=757341968-Y3XSMCeM9PWJ1GW8hqDMGItbMeNSVShZAb2rHRng, oauth_version=1.0” --verbose


and run it through curl-7.27.0-rtmp-ssh2-ssl-sspi-zlib-winidn-static-bin-w64 for Windows

and this is the result

I can’t seem to get past this 401 error ? what am I doing wrong since i’m not generating any of this it’s all from the oAuth Tool

Thanks


  • About to connect() to api.twitter.com port 443 (#0)
  • Trying 199.59.148.87…
  • connected
  • Connected to api.twitter.com (199.59.148.87) port 443 (#0)
  • SSLv3, TLS handshake, Client hello (1):
  • SSLv3, TLS handshake, Server hello (2):
  • SSLv3, TLS handshake, CERT (11):
  • SSLv3, TLS handshake, Server finished (14):
  • SSLv3, TLS handshake, Client key exchange (16):
  • SSLv3, TLS change cipher, Client hello (1):
  • SSLv3, TLS handshake, Finished (20):
  • SSLv3, TLS change cipher, Client hello (1):
  • SSLv3, TLS handshake, Finished (20):
  • SSL connection using RC4-SHA
  • Server certificate:
  •    subject: C=US; ST=California; L=San Francisco; O=Twitter, Inc.; OU=Twit
    

ter Security; CN=api.twitter.com

  •    start date: 2012-05
    
  •    expire date: 2013-05
    
  •    subjectAltName: api.twitter.com matched
    
  •    issuer: C=US; O
    
  •    SSL certificate verify result: unable to get local issuer certificate (
    

20), continuing anyway.

GET /oauth/request_token HTTP/1.1
User-Agent: curl/7.27.0
Host: api.twitter.com
Accept: /
Authorization: OAuth oauth_consumer_key=Z0p8k1pspBWrqNlV2VtVFQ, oauth_nonce=25
d7d23fdd3a448acf23ab37033cd47d, oauth_signature=fQ5PnEdQhY2kWdxmoLtDIw5upZQ%3D,
oauth_signature_method=HMAC-SHA1, oauth_timestamp=1348759029, oauth_token=757341
968-Y3XSMCeM9PWJ1GW8hqDMGItbMeNSVShZAb2rHRng, oauth_version=1.0

< HTTP/1.1 401 Unauthorized
< Date: Thu, 27 Sep 2012 15:18:04 GMT
< Status: 401 Unauthorized
< X-Frame-Options: SAMEORIGIN
< X-Transaction: be915b5e91838bae
< Content-Type: text/html; charset=utf-8
< X-Runtime: 0.02352
< X-MID: 8234875033ef1aae66416576db3b1278939b497f
< Expires: Tue, 31 Mar 1981 05:00:00 GMT
< Last-Modified: Thu, 27 Sep 2012 15:18:04 GMT
< Pragma: no-cache
< Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
< Content-Length: 44
< Set-Cookie: k=10.35.48.120.1348759084511551; path=/; expires=Thu, 04-Oct-12 15
:18:04 GMT; domain=.twitter.com
< Set-Cookie: guest_id=v1%3A134875908452586323; domain=.twitter.com; path=/; exp
ires=Sun, 28-Sep-2014 03:18:04 GMT
< Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCO5dTgg6ASIKZmxhc2hJQzonQWN0
aW9uQ29u%250AdHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoHaWQiJWVh%250AMT
I3OGZlZDYxZmM2NzE4YWI2NGM0ZGZkOTVjYTFi–6f0a8ad0093e5244046fdd9dcf0bcf02de569a36
; domain=.twitter.com; path=/; HttpOnly
< Vary: Accept-Encoding
< Server: tfe
<
Failed to validate oauth signature and token* Connection #0 to host api.twitter.
com left intact

  • Closing connection #0
  • SSLv3, TLS alert, Client hello (1):


#2

You can’t use the OAuth tool to emulate requests to oauth/request_token unfortunately, because it’s a tool for making REST API requests rather than authentication negotiation requests. It’s failing because it adds a oauth_token value to the mix, which represents your identity to a method that is not expecting any kind of user identity.

You should make sure to get your certificate situation figured out on your machine. It’s not recommended to evade SSL when you can’t get it to work