Authentication for API 1.0 doesn't work on API 1.1


#1

I am trying to port a unity C# library (Let’s Tweet in Unity) from twitter API 1.0 to twitter API 1.1 and I am not being successful so far. I am not sure what I am doing wrong.

Accessing request token and API 1.0 works fine:
when requesting a token with
https://api.twitter.com/oauth/request_token?oauth_callback=oob
The header that works looks like:

OAuth realm=“Twitter API”,oauth_consumer_key=“UTBZ3cHunh74qaucY2fw”,oauth_nonce=“14B2676B1333401B58D255C933625F”,oauth_signature_method=“HMAC-SHA1”,oauth_timestamp=“1362631948”,oauth_token=“37723609-KxnADwDGXsuh97Aw3wq39Twr2qUUDKHf1OzizEJS7”,oauth_version=“1.0”,oauth_signature=“u6GIn5XK8UveScMc61SXziln6vw%3D”

and base signature:

POST&https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&oauth_callback%3Doob%26oauth_consumer_key%3DUTBZ3cHunh74qaucY2fw%26oauth_nonce%3D6AD980EFE68D386EF9BB423475BCD2A9%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1362632061%26oauth_version%3D1.0

and posting a tweet to API 1.0 with
http://api.twitter.com/1/statuses/update.xml?status={0}
looks similar and works fine.

header:
OAuth realm=“Twitter API”,oauth_consumer_key=“UTBZ3cHunh74qaucY2fw”,oauth_nonce=“E79F1F2155D4EB9D20E2A9174B0B5FE”,oauth_signature_method=“HMAC-SHA1”,oauth_timestamp=“1362634604”,oauth_token=“37723609-KxnADwDGXsuh97Aw3wq39Twr2qUUDKHf1OzizEJS7”,oauth_version=“1.0”,oauth_signature=“L2qYobJVJSNqBsNYDe5kVUKue8k%3D”

base signature:
POST&http%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses%2Fupdate.xml&oauth_consumer_key%3DUTBZ3cHunh74qaucY2fw%26oauth_nonce%3DE79F1F2155D4EB9D20E2A9174B0B5FE%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1362634604%26oauth_token%3D37723609-KxnADwDGXsuh97Aw3wq39Twr2qUUDKHf1OzizEJS7%26oauth_version%3D1.0%26status%3Dtwewt

But once I try to access API 1.1 search for example with the following URL
https://api.twitter.com/1.1/search/tweets.json?q=iphone

header:
OAuth realm=“Twitter API”,oauth_consumer_key=“UTBZ3cHunh74qaucY2fw”,oauth_nonce=“4641F613269630E2B27C1F5D21D6D44D”,oauth_signature_method=“HMAC-SHA1”,oauth_timestamp=“1362632328”,oauth_token=“37723609-KxnADwDGXsuh97Aw3wq39Twr2qUUDKHf1OzizEJS7”,oauth_version=“1.0”,oauth_signature=“HRoP4g5c2PZcQsvsdatGUIKwyfs%3D”

base string signature:
GET&https%3A%2F%2Fapi.twitter.com%2F1.1%2Fsearch%2Ftweets.json&oauth_consumer_key%3DUTBZ3cHunh74qaucY2fw%26oauth_nonce%3D4641F613269630E2B27C1F5D21D6D44D%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1362632328%26oauth_token%3D37723609-KxnADwDGXsuh97Aw3wq39Twr2qUUDKHf1OzizEJS7%26oauth_version%3D1.0

I get an unauthorized 400 error.

I tried to change the header to match the auth signing result from the dev page by removing the realm=Twitter API and replacing it with "Authorization: OAuth oauth_consumer…"
That yields a bad request 401 error.

Note that calling https://api.twitter.com/oauth/request_token?oauth_callback=oob with the header starting with “Authorization: OAuth oauth_consumer…” will give me an unauthorized 400 error.

I have tried to add q=iphone in the signature and still get unauthorized 400 error:

header:
OAuth realm=“Twitter API”,oauth_consumer_key=“UTBZ3cHunh74qaucY2fw”,oauth_nonce=“A3493A701A3FA1DFEBC52515EC84B7C3”,oauth_signature_method=“HMAC-SHA1”,oauth_timestamp=“1362634964”,oauth_token=“37723609-KxnADwDGXsuh97Aw3wq39Twr2qUUDKHf1OzizEJS7”,oauth_version=“1.0”,oauth_signature=“U5yptdr34gKDKwvM7fiSi4cyMkw%3D”

base signature
GET&https%3A%2F%2Fapi.twitter.com%2F1.1%2Fsearch%2Ftweets.json&oauth_consumer_key%3DUTBZ3cHunh74qaucY2fw%26oauth_nonce%3DA3493A701A3FA1DFEBC52515EC84B7C3%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1362634964%26oauth_token%3D37723609-KxnADwDGXsuh97Aw3wq39Twr2qUUDKHf1OzizEJS7%26oauth_version%3D1.0%26q%3Diphone

Any suggestions of what I am doing wrong?


#2

Your last example is most correct, in that you’re including the “q” parameter in your signature base string and in the right sorted position (the query or POST parameters of requests go sorted into the signature base string).

Nothing leaps out at me about what you’re doing here that might be wrong. Have you verified that your timestamp is up to date? API v1.1 in general is more strict about both HTTP 1.1 compliance and OAuth 1.0A compliance. Assuming your signature generation is correct (are you using a composite signing key of the consumerSecret&accessTokenSecret ?) it looks like you should be predtty close to getting this working.


#3

Hi there, I know this is an oldish post but was wondering if you resolved this issue? I’m working on the same thing but not having much luck! Any tips or pointers would be very much appreciated! Thanks.