401 Unauthorized with https://api.twitter.com/oauth/request_token


#1

Hello !
I want to use https://api.twitter.com/oauth/request_token, but always get 401 Unauthorized answers.

I do my testing via curl. Here is an example request :

curl --request ‘POST’ ‘https://api.twitter.com/oauth/request_token’ --header ‘Authorization: OAuth oauth_callback=“http%3A%2F%2Fwww.ea-services.be%2Fblank.html”, oauth_consumer_key=“m9JhzYtNxdWkxFnSbVSMw”, oauth_nonce=“hj00s5wxFVx6l7qWnx”, oauth_signature=“TDhCuHO2evdhvpYmlk3AA8S4hIM=”, oauth_signature_method=“HMAC-SHA1”, oauth_timestamp=“1373550968”, oauth_version=“1.0”’ --verbose

Output:

  • About to connect() to api.twitter.com port 443 (#0)
  • Trying 199.16.156.72… connected
    (…)

POST /oauth/request_token HTTP/1.1
User-Agent: curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Host: api.twitter.com
Accept: /
Authorization: OAuth oauth_callback=“http%3A%2F%2Fwww.ea-services.be%2Fblank.html”, oauth_consumer_key=“m9JhzYtNxdWkxFnSbVSMw”, oauth_nonce=“hj00s5wxFVx6l7qWnx”, oauth_signature=“TDhCuHO2evdhvpYmlk3AA8S4hIM=”, oauth_signature_method=“HMAC-SHA1”, oauth_timestamp=“1373550968”, oauth_version=“1.0”

< HTTP/1.1 401 Unauthorized
< cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
< content-length: 44
< content-type: text/html; charset=utf-8
< date: Thu, 11 Jul 2013 13:56:38 GMT
< expires: Tue, 31 Mar 1981 05:00:00 GMT
< last-modified: Thu, 11 Jul 2013 13:56:38 GMT
< pragma: no-cache
< server: tfe
< set-cookie: _twitter_sess=BAh7CCIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoHaWQiJWVjNWEyY2M3MzAwMDkyNDYzYzBjNDlk%250ANWI5MmY1NDI0Og9jcmVhdGVkX2F0bCsIC%252FMEzj8B–7903849498bef042dbbe6cb6717bd48d4d5c2a3f; domain=.twitter.com; path=/; HttpOnly
< set-cookie: guest_id=v1%3A137355099816338421; Domain=.twitter.com; Path=/; Expires=Sat, 11-Jul-2015 13:56:38 UTC
< status: 401 Unauthorized
< strict-transport-security: max-age=631138519
< vary: Accept-Encoding
< x-frame-options: SAMEORIGIN
< x-mid: 49367fb0e9139cd40e4a0b15238118a95c539b20
< x-runtime: 0.00682
< x-transaction: 11aa46cefde5d7f5
< x-ua-compatible: IE=10,chrome=1
< x-xss-protection: 1; mode=block

I tested my signature method with the examples provided in the doc and with this tool : http://quonos.nl/oauthTester/, it seems working well.
I tryed feeding the oauth_callback both raw or urlencoded to my signature making method (while always keeping it url encoded in the Authorization header as shown above). Didn’t worked.
I checked my timestamp and am pretty shure it’s ok.
oauth_nonce is generated based on timmestamp + random chars … so it is different each time.

So, I’m running out of ideas …


#2

Same problem here. I checked the time im sending and that doesn’t seem to be the issue (one of the common problems I’ve seen).

This is pretty frustrating as I don’t have a knowledge base for oauth and google has given me squat regarding this issue. No idea how I am supposed to debug this.


#3

must set a callback url on your twitter app oauth settings in order to use oauth_callback header …


#4

You need to set up a callback URL, in app settings. If you don’t have one, put a placeholder and put one in later.