Application-only authentication 403 response (objective c)


#1

I’m attempting to use application-only authentication to connect to the 1.1 Twitter API. The response to my HTTP request is below…any thoughts on what the problem might be?

{
“Cache-Control” = “no-cache, no-store, must-revalidate, pre-check=0, post-check=0”;
“Content-Encoding” = gzip;
“Content-Length” = 118;
“Content-Type” = “application/json; charset=utf-8”;
Date = “Mon, 29 Jul 2013 20:38:04 GMT”;
Expires = “Tue, 31 Mar 1981 05:00:00 GMT”;
“Last-Modified” = “Mon, 29 Jul 2013 20:38:04 GMT”;
Pragma = “no-cache”;
Server = tfe;
“Set-Cookie” = “_twitter_sess=BAh7CDoMY3NyZl9pZCIlOTY2OTgyMTQwZDBlZDQ4N2VmMjNmYTZiMDZiYjFm 0X1.67F4B01F90C18P-881YTg6B2lkIiU1ZTc4YTBlZDY0ZjljMTliYzIzNDU2YzE5MDE3MTJjYjoPY3Jl 0X1.7FFFB87P-1043YXRlZF9hdGwrCIjwJixAAQ 1369344 -1776385004–fe13f9fad7ced6e0258cac8d2539e230b59a5503; domain=.twitter.com; path=/; HttpOnly”;
Status = “403 Forbidden”;
“Strict-Transport-Security” = “max-age=631138519”;
Vary = “Accept-Encoding”;
“x-frame-options” = DENY;
“x-mid” = b78b8b2da4f78b74db75127842376ab7068fab02;
“x-runtime” = “0.01221”;
“x-transaction” = 93f0c3970938c01d;
“x-ua-compatible” = “IE=10,chrome=1”;
“x-xss-protection” = “1; mode=block”;
}


#2

no one?


#3

Can you provide more info on the request you’ve made and how it was formulated (without exposing your credentials).

Thanks!


#4

I’m attempting to update an iPhone app for the new (1.1) Twitter API. I’d like to use Application-only Authentication, so that a user of the app does not need their own twitter account. I created a twitter app, and am encoding the consumer key & secret before attempting to authenticate:

NSString *consumerKey = @"xxxxxxxxxxxx"; NSString *consumerSecret = @"yyyyyyyyyyyyyyyyyyyy";

NSString *consumerKeyRFC1738 = [consumerKey stringByAddingPercentEscapesUsingEncoding:
NSASCIIStringEncoding];
NSString *consumerSecretRFC1738 = [consumerSecret stringByAddingPercentEscapesUsingEncoding:
NSASCIIStringEncoding];

NSString *concatKeySecret = [[consumerKeyRFC1738 stringByAppendingString:@":"] stringByAppendingString:consumerSecretRFC1738];

NSLog(@“concatKeySecret:%@”, concatKeySecret);

NSString *concatKeySecretBase64 = [concatKeySecret base64EncodedString];

NSLog(@“concatKeySecretBase64:%@”, concatKeySecretBase64);

NSMutableURLRequest *request = [NSMutableURLRequest
requestWithURL:[NSURL URLWithString:@“https://api.twitter.com/oauth2/token”]];

[request setHTTPMethod:@“POST”];
[request setValue:[@"Basic " stringByAppendingString:concatKeySecretBase64] forHTTPHeaderField:@“Authorization”];
[request setValue:@“application/x-www-form-urlencoded;charset=UTF-8” forHTTPHeaderField:@“Content-Type”];

NSString *str = @“grant-type=client_credentials”;
NSData *httpBody = [str dataUsingEncoding:NSUTF8StringEncoding];

[request setHTTPBody:httpBody];

NSLog(@“Request:%@”,request);

//NSURLConnection *connection = [[NSURLConnection alloc] initWithRequest:request delegate:self];

NSHTTPURLResponse *response;
[NSURLConnection sendSynchronousRequest: request returningResponse: &response error: nil];

if ([response respondsToSelector:@selector(allHeaderFields)]) {
NSDictionary *dictionary = [response allHeaderFields];
NSLog([dictionary description]);
//NSLog(@“ETAG:%@”,[dictionary valueForKey:@“ETag”]);
}

The response I receive is:

{
“Cache-Control” = “no-cache, no-store, must-revalidate, pre-check=0, post-check=0”;
“Content-Encoding” = gzip;
“Content-Length” = 118;
“Content-Type” = “application/json; charset=utf-8”;
Date = “Tue, 30 Jul 2013 17:26:47 GMT”;
Expires = “Tue, 31 Mar 1981 05:00:00 GMT”;
“Last-Modified” = “Tue, 30 Jul 2013 17:26:47 GMT”;
Pragma = “no-cache”;
Server = tfe;
“Set-Cookie” = “_twitter_sess=BAh7CDoMY3NyZl9pZCIlYWEwY2Y2NzU2NmQ3MjFjMTAyZmY2ZGFlNjFiZWNj 0X1.67F4B01F90C18P-881MjQ6B2lkIiUzNmQ1YTE1ZDQxZTFiN2Q0MTFjNzY2MmI5YTE2NDVkYToPY3Jl 0X1.7FFFB87P-1043YXRlZF9hdGwrCMQunjBAAQ 1371904 -1776385004–7706e5d6c3e090acdab9a3c94d433e11eab2b48b; domain=.twitter.com; path=/; HttpOnly”;
Status = “403 Forbidden”;
“Strict-Transport-Security” = “max-age=631138519”;
Vary = “Accept-Encoding”;
“x-frame-options” = DENY;
“x-mid” = 62d49efa6db6ee537df4e330e351d93fbd0cf900;
“x-runtime” = “0.01460”;
“x-transaction” = 49b51f5559838ae4;
“x-ua-compatible” = “IE=10,chrome=1”;
“x-xss-protection” = “1; mode=block”;
}


#5

You’re passing grant-type instead of grant_type in the body of the request.


#6

YES!!! Thank you Sean!!!