401 Unauthorized error with Tweet URLs


#1

Hello,

I am developing a client application (website) which will post to Twitter on behalf of the user. But I have unfortunately run into a bit of a snag with posting Tweets that have URLs in the text. I can post plain text Tweets with out any issue, but the minute I add a parameterized URL I get a 401 unauthorized response.

So for example this Tweet would work:

We have updated our business profile! http://localhost:8005/directory/directory.cfm

But this Tweek gives a 401:

We have updated our business profile! http://localhost:8005/directory/directory.cfm?BusinessID=8

Here’s the technical details:

Environment
Windows Server 2008
IIS 7.5
Coldfusion 9

oauth_consumer_key: kmdP6acaOerqxqHUNyyBOg
oauth_nonce: MTMxODk1Njg5MA==
oauth_signature_method: HMAC-SHA1
oauth_timestamp: 1318871942
oauth_token: 284729225-ke0qzExyvr55JTrv0AstJ7LPzwbTBNoNenKu0R4b
oauth_version: 1.0
status: We’ve updated our directory information! http://localhost:8001/directory/directory.cfm?businessID=1

Base OAuth Signature String

POST&http%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses%2Fupdate.json&oauth_consumer_key%3DkmdP6acaOerqxqHUNyyBOg%26oauth_nonce%3DMTMxODk1Njg5MA%253D%253D%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1318871942%26oauth_token%3D284729225-ke0qzExyvr55JTrv0AstJ7LPzwbTBNoNenKu0R4b%26oauth_version%3D1.0%26status%3DWe%2527ve%2520updated%2520our%2520directory%2520information%2521%2520http%253A%252F%252Flocalhost%253A8001%252Fdirectory%252Fdirectory.cfm%253FbusinessID%253D1

Composite Key
H73LjRVAf0tDnVUuancuEKl2Jq3s1alddf8Spr3cHbE&xxxx

Signature
4oWnyke0+MUn9zTb5NOsnkea0GY=

OAuth Header

OAuth oauth_consumer_key="kmdP6acaOerqxqHUNyyBOg", oauth_nonce="MTMxODk1Njg5MA%3D%3D", oauth_signature="4oWnyke0%2BMUn9zTb5NOsnkea0GY%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1318871942", oauth_token="284729225-ke0qzExyvr55JTrv0AstJ7LPzwbTBNoNenKu0R4b", oauth_version="1.0"

Do I need to do some sort of extra formatting with the parameterized URLs? Or something?


#2

It looks like the Base OAuth Signature string is getting cut off but you can Inspect or View Source to get all of it.


#3

Just a quick heads up that you included your consumer secret in this post (in the composite key field you provided) – I’ve edited your post to disinclude this, but you may want to regenerate your API key & secret as a result. More on your issue here later…


#4

Thanks! I actually purposely left it in there for testing purposes. I had planned on resetting everything once I got it working =D.


#5

Hello. I’m revisiting this issue as it’s still open on the project, do you have any new information in regards to the issue?


#6

Hi @Aeosis,

Looking at the signature base string in the example you posted, this looks mostly right. Have you considered generating “golden examples” using the OAuth Tool available when navigating to your app on this site? If you provide it the various parameters you’re trying to use for this POST, it will show you the correct signature base string and authorization header to validly make the request, which you can then work to replicate in your own code.

The signature base string you show expects that the exact value for the status parameter you’re passing will be:

We%27ve%20updated%20our%20directory%20information%21%20http%3A%2F%2Flocalhost%3A8001%2Fdirectory%2Fdirectory.cfm%3FbusinessID%3D1

When you submit the POST body are you escaping it or are you leaving it unescaped?


#7

Hi Taylor,

I look a look at the OAuth Tool in my app settings and compared the result to the one I generate using my program

OAuth Tool

POST&http%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses%2Fupdate.json&oauth_consumer_key%3DkmdP6acaOerqxqHUNyyBOg%26oauth_nonce%3D11634c3ab0ec609e8074d248d11f3bf5%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1325609082%26oauth_token%3D284729225-ke0qzExyvr55JTrv0AstJ7LPzwbTBNoNenKu0R4b%26oauth_version%3D1.0%26status%3DWe%2527ve%2520updated%2520our%2520directory%2520information%2521%2520http%253A%252F%252Fbizview.modernearth.net%252Fdirectory%252Fdirectory.cfm%253FbusinessID%253D55

Signature: MVPibRlsrDGTG3%2FXltpqgNznUBI%3D

Generated by my code:

POST&http%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses%2Fupdate.json&oauth_consumer_key%3DkmdP6acaOerqxqHUNyyBOg%26oauth_nonce%3Dxiwc4JcKh1iWYlMU7Hu58mz5rXx0zA%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1325610320%26oauth_token%3D284729225-ke0qzExyvr55JTrv0AstJ7LPzwbTBNoNenKu0R4b%26oauth_version%3D1.0%26status%3DWe%2527ve%2520updated%2520our%2520directory%2520information%2521%2520http%253A%252F%252Fbizview.modernearth.net%252Fdirectory%252Fdirectory.cfm%253FbusinessID%253D55

Signature: RP1U4AnBZ8amYCxT2PGsLywIYZo%3D

I split the two up and compared them. The only differences between the two are the oauth_nonce and oauth_timestamp (which are understandable). At the moment I’m a bit lost as to what the problem could be.


#8

This not work?


#9

Yea it still didn’t work. But I swapped out my general purpose OAuth library for Coldfusion Twitter specific library and it seemed to handle the posting no problem. Although I would have preferred using a general OAuth library I unfortunately needed to complete the task =/