From Twitter 1.0 to 1.1, gtm-oauth fails to authenticate correctly


So, I naively switched my endpoint paths to 1.1/ to see if it would work while using the gtm-oauth library, which has been working fine.

It seems to have broken in the switch.

I’ve looked closely at my Authentication headers which — except for oauth_nonce and oauth_signature (and timestamp), are consistent between my app and the OAuth Signing Tool.

It seems to me that either the signing mechanics have altered, or the nonce uniqueness requirements have changed between 1.0 and 1.1.

The error I get back from the service is “Bad Authentication data”,“code”:215" for:

using the following authentication parameters in the request header:

OAuth oauth_consumer_key=“09ARKva0K7HMz1DW1GUg”, oauth_token=“185383-nxvJMkTAvYX14YRdBhEOfOUKYzcA3ZQzLqNVMMt4Nc”, oauth_signature_method=“HMAC-SHA1”, oauth_version=“1.0”, oauth_nonce=“e4ad7f4753c4929”, oauth_timestamp=“1352098450”, oauth_signature=“hA9s%2B%2FnGRUc9OdUNqf5G4cQn5g0%3D”

a few moments later, the OAuth signing tool told me I should be using something like this:

Authorization: OAuth oauth_consumer_key=“09ARKva0K7HMz1DW1GUg”, oauth_nonce=“3a2881b92c790e41cf6e211124f1e099”, oauth_signature=“OlN0h3vPdPih8F%2FQbEDQth5RVZQ%3D”, oauth_signature_method=“HMAC-SHA1”, oauth_timestamp=“1352098650”, oauth_token=“185383-nxvJMkTAvYX14YRdBhEOfOUKYzcA3ZQzLqNVMMt4Nc”, oauth_version=“1.0”

Aside from the oauth_timestamp nonce and the signature are the only things that are off. And, if I understand things correctly, nonce should be okay so long as its likely to be unique for awhile. Seems like the signing mechanics are different and I should change how GTM-OAuth signs?

Any suggestions on how to proceed further debugging this?



API v1.1’s OAuth implementation is indeed much stricter. Do you know if you’re perhaps double-sending authentication detail (for instance, both as parameters as well as header values)?

My best advice is simple:

  1. Establish a baseline functional request to this endpoint. The OAuth tool on this site is probably best.
  2. Record all the variables that went into that valid request
  3. Using exact same variables but without actually making API requests, train your code (perhaps through unit testing) to produce the exact same header, signature, signature base string, and so on as the OAuth tool creates.
  4. Once you can duplicate the request nearly exactly, exercise your code with more request-specific values and try again


I have a problem wher using
this api ,the LogCat said that:11-06 16:48:28.610: W/System.err(3824): No authentication challenges found
how can I fix it in android apps?