Building new library but oob request token fails with 401


#1

Hi,

I’m trying to develop a (Twitter) OAuth v1.0a library for use with the FreePascal programming language.

First I’m trying to implement OOB authentication.
I authorized the application with an empty callback URL and got consumer key and secret (no access token/secret).
While trying to get a request token, I get a 401 result.
Data below (I’ve since changed the consumer key and secret).

I put the OAuth header in the authorization header, nothing in the body or querystring.

The response with the 401 differs 1 second with the request time, so I think the time should be well synchronized. Translating the request timestamp back to UTC seems to give the correct value.

The signature base string validated OK via http://quonos.nl/oauthTester/

Questions:

  1. Can anybody see something wrong with the below?
  2. RFC 5849 says “The client MAY omit the empty “oauth_token” protocol parameter from the request”. I’ve left it in; is this OK?
  3. Anything else I can check?

Current UTC time: 13:52:12 (at time of sending message)
Request timestamp: 1339336332
Converted back: 10-6-2012 13:52:12

Parameter string:
oauth_callback=oob&oauth_consumer_key=KwT8AYDznYoqsRmShCPSA&oauth_nonce=RMEj0z6DXmSzCr9W4C3MH7r664pcZUCxusc9MkI41&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1339336332&oauth_token=&oauth_version=1.0

Signature base string:
POST&https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&oauth_callback%3Doob%26oauth_consumer_key%3DKwT8AYDznYoqsRmShCPSA%26oauth_nonce%3DRMEj0z6DXmSzCr9W4C3MH7r664pcZUCxusc9MkI41%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1339336332%26oauth_token%3D%26oauth_version%3D1.0

signature:
I6zQvdfg6iKeE1qLJ8RXs1ijFnU=

Authorization Header:
OAuth oauth_callback=“oob”, oauth_consumer_key=“KwT8AYDznYoqsRmShCPSA”, oauth_nonce=“vY8ayYlLHkw5dsmqFClJiWREIqk1yTBPXD243DOgU”, oauth_signature=“I6zQvdfg6iKeE1qLJ8RXs1ijFnU%3D”, oauth_signature_method=“HMAC-SHA1”, oauth_timestamp=“1339336332”, oauth_token="", oauth_version=“1.0”

POSTing to URL: https://api.twitter.com/oauth/request_token

Returned:
HTTP/1.1 401 Unauthorized
Date: Sun, 10 Jun 2012 13:52:13 GMT
Failed to validate oauth signature and token


#2

Sorry, turned out to be a nonce that I inadvertently changed during signature generation.

Code now works and can be found on


Next up: cleanup, authentication with existing oauth_token & secret…


#3

Glad you got it figured out, @rismyname7! Thanks for sharing your Pascal code, I’ve tagged this post to make it easy for folks to find.


#4

dfswf