Do I use the acces token in my app settings?


#1

I have a console app which parses data from the streaming API. Currently I’m using Basic Auth and obviously need to change to oAuth.

Since it’s a console app, it’s not going to be calling websites to get access tokens.

I noticed there was an access token and an access token secret provided in my “app settings” page. Can I simply use that when making the call to the stream api?

I ask because I’m using those and keep getting a 401 and wanted to make sure if it’s the access tokens or something else.

I’ve compared my headers to the headers in oAuth tool and they look close enough. I’ve also compared the baseString and it looks the same.

Can I share these with you to help troubleshoot this?

These are the response headers I get from the 401:

Headers = {Connection: close Content-Length: 1285 Cache-Control: must-revalidate,no-cache,no-store Content-Type: text/html WWW-Authenticate: Basic realm="Firehose"

#2

Yeah, you can use the access token and secret from your app page to connect to the public streaming endpoints (filter, sample) without needing to do the 3-legged flow. Just be careful about sharing those credentials - they give access to your account via the API.

Can you send some more information about the request you’re making (URL, sanitized headers)? The HTML response seems weird to me.


#3

Here’s the headers. I removed the token from this post, not sure if anything else is sensitive.

Authorization OAuth
oauth_consumer_key=“zMNH25PFowKBtW5S3ZEJ4g”, oauth_nonce=“NjM1MDAwNzQwOTgxOTQzODk3”, oauth_signature=“8MuwZF2lxWgtiZnp%2F7nZAJ3DxhM%3D”,
oauth_signature_method=“HMAC-SHA1”,
oauth_timestamp=“1364495298”,
oauth_token=“TOKEN_FROM_APP_DETAIL_PAGE”,
oauth_version=“1.0”

Here is the Base String:

POST&https%3A%2F%2Fstream.twitter.com%2F1%2Fstatuses%2Ffilter.json%26include_entitites%3Dtrue%26oauth_consumer_key%3DzMNH25PFowKBtW5S3ZEJ4g%26oauth_nonce%3DNjM1MDAwNzQwOTgxOTQzODk3%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1364495298%26oauth_token%3D19578694-aeDrYV4CLbnZH22Dk5KgTM8XqjJHIFAgLEV4mlVsE%26oauth_version%3D1.0%26track%3Dthank%2520god

And this is the URL:
https://stream.twitter.com/1/statuses/filter.json?track=thank%20god&include_entities=true


#4

It looks like you’re missing an & between the URL and parameters list of your signature base string. I would expect to see:

POST&https%3A%2F%2Fstream.twitter.com%2F1.1%2Fstatuses%2Ffilter.json&include_entities...

#5

Rather than missing, it’s encoded.


#6

K. I updated, but still getting 401’s.

I noticed you’re using the URL: https://stream.twitter.com/1.1/statuses/filter.json so I’ve updated to /1.1/ [I was using just /1/ but that doesn’t seem to fix my issue.

POST&https%3A%2F%2Fstream.twitter.com%2F1.1%2Fstatuses%2Ffilter.json&include_entitites%3Dtrue%26oauth_consumer_key%3DzMNH25PFowKBtW5S3ZEJ4g%26oauth_nonce%3DNjM1MDAwNzUzNDU0MzczNzg1%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1364496545%26oauth_token%3D19578694-aeDrYV4CLbnZH22Dk5KgTM8XqjJHIFAgLEV4mlVsE%26oauth_version%3D1.0%26track%3Dthank%2520god%2520god


#7

Seems correct now, but there’s still a bunch of reasons you could be having a problem. Spaces in query strings can cause issues, so maybe try tracking a single word first (your last signature base string seemed to be for the query “thank god god”, so if that wasn’t exactly the track value you sent, then that might be a problem).

Also make sure that the access token / secret belong to the consumer key / secret you’re using, and that you’re creating the signature using both secrets as the signing key and not just the consumer secret or access token secret.

If you’re able to fix the timestamp and nonce of your request I’d say generate a request using the oauth tool on this site and then try to generate the same exact request in your code and compare the values you see.


#8

Fix my timestamp and nonce? Are they incorrect?


#9

Sorry, I meant fix them to the values used by the oauth tool (as opposed to using a current timestamp / new nonce for each request). The idea would be to compare the same exact request as signed by the tool vs. the one generated by your library.


#10

Thanks. I’ll give that a shot.

When is basic auth being completely removed? I know it’s “soon” but will you give a firm deadline prior to completely turning it off?


#11

Yeah, we will announce a firm date for basic auth to be turned off.


#12

I used the oauth tool. Copied the nonce and the timestamp. Put both into my code.

Still getting 401s. So does that rule out an issue with nonce and timestamp?

What else could be causing the 401? I’m using the access token and token secret from the app detail page and using the consumer key and secret as well.


#13

This is how I’m creating signature:

var compositeKey = string.Concat(Uri.EscapeDataString(oauth_consumer_secret), "&", Uri.EscapeDataString(oauth_token_secret));

string oauth_signature;
using (HMACSHA1 hasher = new HMACSHA1(ASCIIEncoding.ASCII.GetBytes(compositeKey))) {
oauth_signature = Convert.ToBase64String(hasher.ComputeHash(ASCIIEncoding.ASCII.GetBytes(baseString)));
}


#14

Does the signature generated from your code match the signature generated by the oauth tool when all the same parameters are used in both?

Does running the curl command from the tool produce a successful response?


#15

Signatures are different:

Mine: FN%2FLXAebWcRvzpC1GqEX3y%2BnAnc%3D

Oauth Tool: SZPmGGx4IeB4arYF1kNGaHX077w%3D

I haven’t used the curl command yet as I’ve not really used curl before.

I did take the nonce, timestamp, and signature from the oAuth tool - used them in the call and still got a 401.


#16

If the signatures are different, then something is wrong with your signing algorithm. My next step would be to do a character-by-character comparison of the signature base string generated by the tool vs. what your code generates. If anything is different at all it will be an error.

If the signature base strings are exactly the same, then you should look at the hashing code to make sure it generates the correct hmac signature.

Now that I see you’re using Java, I should also say that you should make sure that your Uri encoding follows the correct algorithm as documented here: https://dev.twitter.com/docs/auth/percent-encoding-parameters - IIRC, Java would encode spaces as “+” which would break oauth signatures (although from your base string it seems to be doing the right thing and getting %20).

You may want to consider using an established Java OAuth library since there’s so much to get wrong. My experience is that there’s a lot of fussing until you’re able to get everything exactly correct. Twitter4j has a working implementation which would at least be worth reading: https://github.com/yusuke/twitter4j/blob/master/twitter4j-core/src/main/java/twitter4j/auth/OAuthAuthorization.java


#17

Actually that’s C# (.NET) which is close enough. I was using AuthPack to generate the signatures, and the nonce and timestamp, but that wasn’t working at all either. Even with AuthPack, the signature is still not the same.

Not sure if you know anything about AuthPack, but you can see more here: http://www.voiceoftech.com/swhitley/index.php/2011/11/authpack-provides-net-oauth-for-twitter-facebook-linkedin-and-google/


#18

Given the nonce and timestamp from the oAuth tool, I am generating the signature correctly. However, I’m still getting 401 Unauthorized.

My clock seems to be in sync with Twitters. Although, I’m not sure how I can check that.