Failed to validate oauth signature and token


#1

Hi All,

It would be grateful if some one can give some ideas to overcome this issue.

When i try to login through twitter using Oauth Authentication, i am getting the following error “Failed to validate oauth signature and token”. This twitter login was working fine since yesterday. Suddenly from today i am getting this error when logging in through twitter in my mobile application.

Thanks,
Zoomzin.


#2

I have to same problem. I cant acces. I did some backups before this happened. I uploaded them into the server and doesnt work either. The only think that came to my head its that it must be a Twitter´s problem not yours or mine…I hope


#3

hey, i get the same problem too, and so i made a test php script to test, the consumerkey, signature, and nonce ect were all copy from step 1 in this page : https://dev.twitter.com/docs/auth/implementing-sign-twitter
and here’s the script:

$url = “https://api.twitter.com/oauth/request_token”;
$consumer_secret=“L8qq9PZyRg6ieKGEKhZolGC0vJWLw8iEJ88DRdyOg”;
$consumer_key=“cChZNFj6T5R0TigYB9yd1w”;
$timestamp=1318467427;
$signature_method=“HMAC-SHA1”;
$callback = “http%3A%2F%2Flocalhost%2Fsign-in-with-twitter%2F”;
$nonce = “ea9ec8429b68d6b77cd5600adbbb0456”;
$version = “1.0”;
$signature = “F1Li3tvehgcraF8DMJ7OyxO4w9Y%3D”;
//buildheadString
$h = array(“Authorization:OAuth oauth_callback=”${callback}", oauth_consumer_key="${consumer_key}", oauth_nouce="${nouce}", oauth_signature="${signature}", oauth_signature_method="${signature_method}", oauth_timestamp="${timestamp}", oauth_version="${version}"");
//get&post
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch,CURLOPT_HTTPHEADER,$h);
$data = curl_exec($ch);
if ($data === false) {
header(‘HTTP/1.1 400 Bad Request’);
exit;
} else {

echo $data;
}
but it still says failed to validate oauth signature and token, i got so puzzled, cuz there's no problem in signature....

#4

You can’t use the direct values from that page and generate a request that will still function against the API – what you can do is take all the values on that page and continue working on your OAuth code until you can create the same exact OAuth signature and authorization header. Once you’re able to replicate it exactly, then move on to using your actual values and attempting to make a request.


#5

hummm, but now i think i could creat the exact signature and using GMT time… but it’s not work… :frowning:
dont know where goes wrong…
here’s the script:

<?php //readQuery $url="https://api.twitter.com/oauth/request_token"; //echo $postParament; $consumer_secret="xxxxx"; $consumer_key="xxxxx"; date_default_timezone_set("GMT"); $timestamp=mktime(date('H'),date('i'),date('s'),date('m'),date('d'),date('y')); //echo $timestamp; $signature_method="HMAC-SHA1"; if($_POST['signature_method']){ $signature_method=$POST['signature_method']; } $callback = "http%3A%2F%2Flocalhost%2Fsign-in-with-twitter%2F"; $chart="0123456789ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghiklmnopqrstuvwxyz"; $nonce = substr( str_shuffle($chart),0,42); $version = "1.0"; //build baseString $baseString = "oauth_callback=${callback}&oauth_consumer_key=${consumer_key}&oauth_nonce=${nonce}&oauth_signature_method=${signature_method}&oauth_timestamp=${timestamp}&oauth_version=${version}"; $baseString = rawurlencode($baseString); $eurl = rawurlencode($url); $baseString = "POST&${eurl}&${baseString}"; //signature $s_key = "${consumer_secret}&${token_secret}"; //echo $s_key; $signature = rawurlencode(base64_encode(hash_hmac("sha1",$baseString,$s_key,true))); //buildheadString $h = array(); $h[Authorization]="OAuth oauth_callback=\"${callback}\",oauth_consumer_key=\"${consumer_key}\",oauth_nouce=\"${nonce}\",oauth_signature=\"${signature}\",oauth_signature_method=\"${signature_method}\",oauth_timestamp=\"${timestamp}\",oauth_version=\"${version}\""; //post echo date("H:i:s \e\= e \T\= T \z\= Z"); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_HEADER, false); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch,CURLOPT_HTTPHEADER,$h); $data = curl_exec($ch); if ($data === false) { header('HTTP/1.1 400 Bad Request'); exit; } else { echo $data; } ?>

#6

@episod


#7

This might sound stupid, make sure the time on your device is accurate within 120 seconds.


#8

okay…thank u, and who knows the twitter sever’s time zone?


#9

Even I have the same problem. Even if I am hardcoding the nonce and timestamp as obtained in the authorisation header from OAuth Testing Tools and obtaining the correct header, then also the problem persist.
Help me with this…
Thanks