Can make calls to verify_credentials with key/token, but keep getting 401 when requesting a token


#1

I’ve read through the OAuth docs from Twitter (which seem great), requested API keys, and a token for my Twitter account.

I’ve been able to call into https://api.twitter.com/1.1/account/verify_credentials.json and pull back my info without any issues.

Happy with some code that signs, sorts etc. I’ve moved onto requesting a token for user authorization.

This is a snippet of what’s working (pulling my info):

This is what I’m signing with my (consumerSecret&accessTokenSecret)

GET&https%3A%2F%2Fapi.twitter.com%2F1.1%2Faccount%2Fverify_credentials.json&oauth_consumer_key%3D##KEY##%26oauth_nonce%3D2edc41bfa9fe48369f2576452d14f942%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1361234363%26oauth_token%3D##TOKEN##%26oauth_version%3D1.0

This is my Authorization header:

OAuth oauth_token="##TOKEN##",
oauth_version=“1.0”,
oauth_consumer_key="##KEY##",
oauth_timestamp=“1361234363”,
oauth_signature_method=“HMAC-SHA1”,
oauth_nonce=“2edc41bfa9fe48369f2576452d14f942”,
oauth_signature=“oZh_8hvCBIROCiKOZaASoYxrGV8%3D”

This is a snippet of my token request, which isn’t working

What I’m signing (with just my consumerSecret)

POST&https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&oauth_callback%3Dhttp%253A%252F%252Flocalhost%252Fsign-in-with-twitter%252F%26oauth_consumer_key%3D##KEY##%26oauth_nonce%3D3963029ea8ce44ea841478163d3d936e%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1361238175%26oauth_version%3D1.0

Authorization header

OAuth oauth_nonce=“3963029ea8ce44ea841478163d3d936e”,
oauth_signature_method=“HMAC-SHA1”,
oauth_version=“1.0”,
oauth_timestamp=“1361238175”,
oauth_consumer_key="##KEY##",
oauth_callback=“http%3A%2F%2Flocalhost%2Fsign-in-with-twitter%2F”,
oauth_signature=“cNHrnzEPlpDXh04hhu9RIcKmhhI%3D”

The only differences with either request is that

  • the working one gets signed with consumerSecret&accessTokenSecret and the other is signed with just consumerSecret
  • the non-working one has oauth_callback added to the authorization header, with an encoded URL (which gets re-encoded during the signing process)
  • the working one has my accessToken added to the authorization header, and the other doesn’t

My clock is good, and I do get good requests from the first one, so that shouldn’t be an issue. I’ve removed the callback from the second (I know it’s required, but just to see if I get some other error, as that’s the only new thing added). Is there something blatantly obvious that I’m missing?

Thanks =)


#2

One guess for you: when you’re signing the oauth/request_token request, it’s not that you sign it “only” with your consumer secret, you sign it with a consumer secret and a null token secret. So, more like: “consumerSecret&” instead of just “consumerSecret”


#3

Thanks @episod,

I did notice that someone had done that from a snippet on some SO post, or somewhere else, and had tried it once to no avail. I quickly gave up on that, as I didn’t see it, or it didn’t stand out, within the Twitter documentation.

I did just try it again, and it worked!
I must’ve had something else wrong somewhere, that I fixed between when I tried the null token secret and now. Goes to show that I shouldn’t rule something out as not working permanently in my brain =)

Thanks,
Justin


#4

Okay, one other thing I’m noticing is that I get successful calls when my signature has no dashes/underscores within it, when it does I always get a 401.

I don’t see anything mentioning that in

So these signatures fails:
…oauth_signature=“Xq4ue_aUj1kQ3LZ6ED5sVN47Q5w%3D”
…oauth_signature=“DnGSZ5l4eq-3N3U2CCwn7QaS4t4%3D”
…oauth_signature=“N_0PdWC8zyCgOKFfQ4VS1VD-hwo%3D”

Any signature without _- work.


#5

@episod

Doh! Sorry, I’ve got a reply awaiting moderation and I’ve just figured it out.
I was base64 URL encoding my signature (using Golang) which places the dashes/underscores in my signature.
I switched it to a base64 standard encoding, and all is well =)

Thanks again,
Justin


#6

Glad you got it figured out, Justin!