401 Unauthorized | Failed to validate oauth signature and token


#1

Hi,

So, I’m trying to replicate authentication to an application using the cURL command. I’m entering the following information in the CLI:

curl --request 'POST' 'https://api.twitter.com/oauth/request_token' --header 'Authorization: OAuth oauth_callback="http%3A%2F%2Flocalhost%2Fsign-in-with-twitter%2F", oauth_consumer_key="6NxcVZ8NXrJbu5rNubijg", oauth_nonce="7e74b10823c3327f7a00873c9a3d5d3d", oauth_signature="4cX0mZL1lBHHFAo4sfYRYHoe84A%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1371672680", oauth_version="1.0"' --verbose

Unfortunately, I get a 401. I realize that the timestamp has to be within 2 minutes and that it’s Unix epoch time. I also realize that perhaps I should NOT copy the OAuth tool as well, but I wanted to confirm.

This is the error I get back:

* About to connect() to api.twitter.com port 443 (#0)
*   Trying 199.16.156.104...
* connected
* Connected to api.twitter.com (199.16.156.104) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-SHA
* Server certificate:
* 	 subject: C=US; ST=California; L=San Francisco; O=Twitter, Inc.; OU=Twitter Security; CN=api.twitter.com
* 	 start date: 2013-04-08 00:00:00 GMT
* 	 expire date: 2013-12-31 23:59:59 GMT
* 	 subjectAltName: api.twitter.com matched
* 	 issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of use at https://www.verisign.com/rpa (c)09; CN=VeriSign Class 3 Secure Server CA - G2
* 	 SSL certificate verify ok.
> POST /oauth/request_token HTTP/1.1
> User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8x zlib/1.2.5
> Host: api.twitter.com
> Accept: */*
> Authorization: OAuth oauth_callback="http%3A%2F%2Flocalhost%2Fsign-in-with-twitter%2F", oauth_consumer_key="6NxcVZ8NXrJbu5rNubijg", oauth_nonce="7e74b10823c3327f7a00873c9a3d5d3d", oauth_signature="4cX0mZL1lBHHFAo4sfYRYHoe84A%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1371672680", oauth_version="1.0"
>
< HTTP/1.1 401 Unauthorized
< cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
< content-length: 44
< content-type: text/html; charset=utf-8
< date: Wed, 19 Jun 2013 20:14:08 GMT
< expires: Tue, 31 Mar 1981 05:00:00 GMT
< last-modified: Wed, 19 Jun 2013 20:14:08 GMT
< pragma: no-cache
< server: tfe
< set-cookie: _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCKGmEl4%252FAToHaWQiJWFh%250AMWRmYzBmZmJmNTgwNTExNWQyZTE5NWQxMDRiZGJk--a117a6c9e047a97f5a5434f055eca30d43dd3cf5; domain=.twitter.com; path=/; HttpOnly
< set-cookie: guest_id=v1%3A137167284797584811; Domain=.twitter.com; Path=/; Expires=Fri, 19-Jun-2015 20:14:08 UTC
< status: 401 Unauthorized
< strict-transport-security: max-age=631138519
< vary: Accept-Encoding
< x-frame-options: SAMEORIGIN
< x-mid: 15dcca4c776a648090a6ff11ed7fb2722e2afc54
< x-runtime: 0.01170
< x-transaction: 284ef59318f951b2
< x-ua-compatible: IE=10,chrome=1
< x-xss-protection: 1; mode=block
<
* Connection #0 to host api.twitter.com left intact
Failed to validate oauth signature and token* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

#2

According to this StackOverflow post http://stackoverflow.com/a/5261761/225292, you can’t use localhost as a callback, you have to use an IP address, so you might try that.

From what I’ve seen, now-a-days you specify the callback in the Twitter application (see the configuration for your app) instead of passing it in with the header (though I could be wrong) – you might try that also.

I won’t be able to be of further help; just passin’ by.