Oauth/authorize redirects to twitter.com instead of the specified callback


#1

I’m trying to use JAX-RS (Jersey) for OAuth flow.

request_token works fine, the app authorizes, but then instead of redirecting to the specified callback_url (specified in the request_token), the app is directed to twitter.com. Seems like I’m missing something really basic. Any idea ?

Arun


#2

What’s the exact URL you’re being redirected to? Are you passing a full URL for the callback parameter, or a relative path?


#3

Its funny how you ask a question and then realize the answer right away. That’s what happened with me, there was a problem in my code, I fixed it and then it started working fine. Redirection to twitter.com was confusing though.

Anyway, now the following request is failing for authorization:

1 > GET https://api.twitter.com/1/statuses/user_timeline.json?include_entities=true&include_rts=true&screenname=twitterapi&count=2
1 > Authorization: OAuth oauth_signature=“IaUJjcRK6gKqs%2B3TB2mTWp5D37I%3D”, oauth_version=“1.0”, oauth_nonce=“NONCE”, oauth_signature_method=“HMAC-SHA1”, oauth_consumer_key=“CONSUMER-EY”, oauth_token=“12387972-5cIapia5dUsRUcINmIhAZNB9bflVN6-LAST-FEW-DIGITS”, oauth_timestamp=“1326139441”

Fails using curl as well.

When the signature is generated using OAuth Tool of twitter, then it passes successfully. And the curl CLI also works.

Do you see any apparent difference between the two command invocations ?


#4

Unfortunately it’s not possible to determine whether a given signature is valid without knowing the consumer secret. There’s nothing very obvious wrong with the header from a superficial look.

I would say make sure you’re signing the parameters in the request as well (include_entities, include_rts, etc). Double check the OAuth documentation (https://dev.twitter.com/docs/auth/authorizing-request) to verify that you’re following all the steps correctly (I just added a note to the signature docs indicating that you need to sort parameters before building your signature base string).

If you can post the full response to the failing request, that may give some more hints.


#5

Thanks, Here is the request_token …

INFO: 1 * Client out-bound request
1 > POST https://api.twitter.com/oauth/request_token
1 > Authorization: OAuth oauth_callback=“http%3A%2F%2Flocalhost%3A8080%2Ftwitter%2FOAuthCallback”, oauth_signature=“vcz%2BPP70md31dgT2OkswJl3CIgg%3D”, oauth_version=“1.0”, oauth_nonce=“ec08c720-4941-4ab2-ab75-c9da0add28d8”, oauth_signature_method=“HMAC-SHA1”, oauth_consumer_key=“8e2oGgzj5t9G4LmvDejYTg”, oauth_timestamp=“1326475695”

INFO: 1 * Client in-bound response
1 < 200
1 < X-Runtime: 0.01677
1 < ETag: "6621ab904d95fe8030b0330fa4a14854"
1 < X-Transaction: 72fab273c220fae7
1 < Content-Length: 141
1 < X-MID: 1ad0e1babd5de3dd906438498affc3fe57552b48
1 < Expires: Tue, 31 Mar 1981 05:00:00 GMT
1 < Last-Modified: Fri, 13 Jan 2012 17:28:15 GMT
1 < X-Revision: DEV
1 < Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCAfXHNg0AToHaWQiJTUyZjg3MDRkN2QwZjdi%250AYWJkNGJmMDJlZmFiN2NmYzczIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA–fb4e77c43fbf58847bcdb9cc2ed9b878026c72b1; domain=.twitter.com; path=/; HttpOnly
1 < Set-Cookie: guest_id=v1%3A132647569587841417; domain=.twitter.com; path=/; expires=Mon, 13-Jan-2014 05:28:15 GMT
1 < Set-Cookie: k=10.35.47.123.1326475695869380; path=/; expires=Fri, 20-Jan-12 17:28:15 GMT; domain=.twitter.com
1 < Server: tfe
1 < Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
1 < Pragma: no-cache
1 < Status: 200 OK
1 < X-Frame-Options: SAMEORIGIN
1 < Date: Fri, 13 Jan 2012 17:28:15 GMT
1 < Vary: Accept-Encoding
1 < Content-Type: text/html; charset=utf-8
1 <
oauth_token=tiIFgo92aN737y1ZIBqAyRy037iXgZcuSxoGkZxs&oauth_token_secret=xXajFDvgFS38pWoDjoUAk4hAXfQUcJLRrEoD9JE&oauth_callback_confirmed=true

After authorization with https://api.twitter.com/oauth/authorize?oauth_token=tiIFgo92aN737y1ZIBqAyRy037iXgZcuSxoGkZxs and redirection, here is the request for access_token …

INFO: 1 * Client out-bound request
1 > POST https://api.twitter.com/oauth/access_token
1 > Authorization: OAuth oauth_signature=“ra7%2FrhcvcnEaUMiFQ%2B79p%2FcrNMg%3D”, oauth_version=“1.0”, oauth_nonce=“a8f6e47c-c52d-4f81-9cc3-52a6cf68ea92”, oauth_signature_method=“HMAC-SHA1”, oauth_consumer_key=“8e2oGgzj5t9G4LmvDejYTg”, oauth_token=“tiIFgo92aN737y1ZIBqAyRy037iXgZcuSxoGkZxs”, oauth_verifier=“P9lwN5mhKtsl9hBLaDTZerXkps3JhTtvoUPxKdUXr0”, oauth_timestamp=“1326475943”

INFO: 1 * Client in-bound response
1 < 200
1 < X-Runtime: 0.05490
1 < ETag: "4fa25a23a6ee62e424c6b0308ef6b585"
1 < X-Transaction: 4ec9f909837f1701
1 < Content-Length: 163
1 < X-MID: cf58132e2767288464d1c31ade45712a0241c903
1 < Expires: Tue, 31 Mar 1981 05:00:00 GMT
1 < Last-Modified: Fri, 13 Jan 2012 17:32:24 GMT
1 < X-Revision: DEV
1 < Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCMKjINg0AToHaWQiJTkzZjlkOWJlOTIyMDAx%250AYzhmNzgxYTFiOWNkZTk4MDZjIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA–09ae5972e7987336c52779ef812a36b3d966b987; domain=.twitter.com; path=/; HttpOnly
1 < Set-Cookie: guest_id=v1%3A132647594489779974; domain=.twitter.com; path=/; expires=Mon, 13-Jan-2014 05:32:24 GMT
1 < Set-Cookie: k=10.35.24.138.1326475944891136; path=/; expires=Fri, 20-Jan-12 17:32:24 GMT; domain=.twitter.com
1 < Server: tfe
1 < Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
1 < Pragma: no-cache
1 < Status: 200 OK
1 < X-Frame-Options: SAMEORIGIN
1 < Date: Fri, 13 Jan 2012 17:32:24 GMT
1 < Vary: Accept-Encoding
1 < Content-Type: text/html; charset=utf-8
1 <
oauth_token=12387972-tRzHZ57HGKohKDzpG3D7eAWeZK8No0v1RkZKXrXZR&oauth_token_secret=kfCuKV4xc8EoSsedhOS0FW9DxHTRWu09GzJLtZdtHA&user_id=12387972&screen_name=arungupta

The “screen_name” in the response seem to indicate that “arungupta” (that is me) is successfully authorized. And then finally …

INFO: 1 * Client out-bound request
1 > GET https://api.twitter.com/1/statuses/user_timeline.json?include_entities=true&include_rts=true&screen_name=arungupta&count=10
1 > Authorization: OAuth oauth_signature="%2BQZ1IsE%2FUnHuE%2F56sf8xa7y3lFE%3D", oauth_version=“1.0”, oauth_nonce=“2d7f6dab-61d2-4f67-afff-33277bf4c8b2”, oauth_signature_method=“HMAC-SHA1”, oauth_consumer_key=“8e2oGgzj5t9G4LmvDejYTg”, oauth_token=“12387972-tRzHZ57HGKohKDzpG3D7eAWeZK8No0v1RkZKXrXZR”, oauth_timestamp=“1326475945”

INFO: 1 * Client in-bound response
1 < 200
1 < X-Runtime: 0.08044
1 < ETag: "6bb8d1e8f611ecb08fe9c981ad96467a"
1 < X-Transaction: 3fbfb97dfb8f7ca8
1 < X-RateLimit-Limit: 150
1 < X-RateLimit-Remaining: 124
1 < Content-Length: 21955
1 < X-MID: 9854078cee27efd25b37a2633dcc8833cbc1d101
1 < Expires: Tue, 31 Mar 1981 05:00:00 GMT
1 < Last-Modified: Fri, 13 Jan 2012 17:32:25 GMT
1 < X-RateLimit-Reset: 1326478056
1 < X-RateLimit-Class: api
1 < X-Revision: DEV
1 < Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCAanINg0AToHaWQiJTQzMGE2OTQ5NDdlYzk2%250AMzczODJhNzk1MGZhNWI2MGYxIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA–a7e78d7269f56c6a5f1b241b74aed2893a4613a4; domain=.twitter.com; path=/; HttpOnly
1 < Set-Cookie: guest_id=v1%3A132647594572622786; domain=.twitter.com; path=/; expires=Mon, 13-Jan-2014 05:32:25 GMT
1 < Set-Cookie: k=10.35.24.138.1326475945722775; path=/; expires=Fri, 20-Jan-12 17:32:25 GMT; domain=.twitter.com
1 < Server: tfe
1 < X-Warning: Invalid OAuth credentials detected
1 < Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
1 < Pragma: no-cache
1 < Status: 200 OK
1 < X-Frame-Options: SAMEORIGIN
1 < Date: Fri, 13 Jan 2012 17:32:25 GMT
1 < Vary: Accept-Encoding
1 < Content-Type: application/json; charset=utf-8
1 < X-Transaction-Mask: a6183ffa5f8ca943ff1b53b5644ef1143ae2f9b7
1 <

And then follows the response because this API does not require authorization.But X-Warning header indicate that authorization did not succeed.

Any clues ?


#6

Could you share your signature base string for the last request?


#7

I just pass the parameters to the Jersey APIs and then they generate the signature for me. Do you suspect sorting of elements might be an issue ?


#8

What happens if you issue a request without parameters to account/verify_credentials? Does that request succeed? If that succeeds, then indeed its likely something with how the library is processing the parameters. If that request does not succeed, then there might be something going wrong in how the library is building signatures or the composite signing key (making use of the consumer secret and oauth_token_secret).


#9

account/verify_credentials does not succeed. Here is the request:

1 > GET https://api.twitter.com/1/account/verify_credentials.json
1 > Authorization: OAuth oauth_signature=“AjxxWZZCh1Hw120Cwj2UNCi67lg%3D”, oauth_version=“1.0”, oauth_nonce=“dcd179ce-a7a3-4e02-b0fe-2e3d7a91f0ce”, oauth_signature_method=“HMAC-SHA1”, oauth_consumer_key=“8e2oGgzj5t9G4LmvDejYTg”, oauth_token=“12387972-tRzHZ57HGKohKDzpG3D7eAWeZK8No0v1RkZKXrXZR”, oauth_timestamp=“1326492529”

and the response:

1 < 401
1 < Status: 401 Unauthorized
1 < X-Runtime: 0.00979
1 < WWW-Authenticate: OAuth realm=“https://api.twitter.com"
1 < Date: Fri, 13 Jan 2012 22:08:50 GMT
1 < Vary: Accept-Encoding
1 < Content-Length: 96
1 < Expires: Fri, 13 Jan 2012 22:13:50 GMT
1 < Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCN21Hdk0AToHaWQiJWQyMjQ1NDE5YzFhYmE2%250AZjliNDhjNmU3YzY0MzM1MzAzIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA–e67fd9a268e04760b62da818744d8a0620fac6bb; domain=.twitter.com; path=/; HttpOnly
1 < Set-Cookie: guest_id=v1%3A132649253013324650; domain=.twitter.com; path=/; expires=Mon, 13-Jan-2014 10:08:50 GMT
1 < Set-Cookie: k=10.34.234.116.1326492530129358; path=/; expires=Fri, 20-Jan-12 22:08:50 GMT; domain=.twitter.com
1 < Content-Type: application/json; charset=utf-8
1 < Server: tfe
1 < Cache-Control: no-cache, max-age=300
1 <
{“error”:“Could not authenticate with OAuth.”,“request”:”/1/account/verify_credentials.json"}

Let me check on how the signatures are generated in the library and then will get back.

Thanks for the help!


#10

I have a feeling your signatures may be correct here but that somehow the access token you’re using isn’t correct – are the oauth_token and oauth_token_secret values used in this request definitely the same access tokens received directly after authorizing? Is there any chance you’ve invalidated these tokens by re-authenticating or issuing a “my access token” before utilizing them?


#11

Thanks @episod and @kurrik!

Going through the code I realized that consumer secret was not passed when the xxx_token requests were made. Fixed that and now authorization is working.

Planning on releasing a Java API for Twitter based on JAX-RS, can be used with any Java application easily. Would appreciate your feedback and will post a message to the forum as well anyway.

Thanks for all the help.


#12

Hey @episod and @kurrik,

I have a similar problem. I’m trying to mine data using R.
Everything works fine until I get to where it asks me:

To enable the connection, please direct your web browser to:
http://api.twitter.com/oauth/authorize?oauth_token=H0Ke0Ru7X7LK2OC7k3oWrV6pyw2e8rRDU3oBZpwg
When complete, record the PIN given to you and provide it here:

I follow the link and authorize using my account. However, rather than redirecting me to a twitter page with the PIN, it takes me to example.com.

I can’t figure out what’s wrong. I am running exact the same script found in this tutorial,
http://youtu.be/mJVcANlkxU8?t=5m38s but as you can see, at 5.38 they get a PIN.

I would truly appreciate any help with this.

Here is my script:

requestURL <- "https://api.twitter.com/oauth/request_token"
accessURL = "http://api.twitter.com/oauth/access_token"
authURL = "http://api.twitter.com/oauth/authorize"
consumerKey = "XXX"
consumerSecret = "XXX"
Cred <- OAuthFactory$new(consumerKey=consumerKey,

  •                      consumerSecret=consumerSecret,
    
  •                      requestURL=requestURL,
    
  •                      accessURL=accessURL, 
    
  •                      authURL=authURL)
    

Cred$handshake(cainfo = system.file(“CurlSSL”, “cacert.pem”, package = “RCurl”))


#13

On the request token step, consider adding an explicit oauth_callback value of oauth_callback=oob which will force your application into “out of band” auth mode. You may also want to remove any placeholder callback you’ve associated with your application record (such as “http:://example.com”)


#14

It never worked. It is still taking me to
Example Domain

This domain is established to be used for illustrative examples in documents. You may use this domain in examples without prior coordination or asking for permission.

More information…


#15

It never worked. It is still taking me to
Example Domain

This domain is established to be used for illustrative examples in documents. You may use this domain in examples without prior coordination or asking for permission.

More information…


#16

POST /1/statuses/update.json?include_entities=true HTTP/1.1
Accept: /
Connection: close
User-Agent: OAuth gem v0.4.4
Content-Type: application/x-www-form-urlencoded
Content-Length: 76
Host: api.twitter.com

status=Hello%20Ladies%20%2b%20Gentlemen%2c%20a%20signed%20OAuth%20request%21


#17

@arungupta Arun Gupta
Thanks, Here is the request_token …

INFO: 1 * Client out-bound request
1 > POST https://api.twitter.com/oauth/request_token
1 > Authorization: OAuth oauth_callback=“http%3A%2F%2Flocalhost%3A8080%2Ftwitter%2FOAuthCallback”, oauth_signature=“vcz%2BPP70md31dgT2OkswJl3CIgg%3D”, oauth_version=“1.0”, oauth_nonce=“ec08c720-4941-4ab2-ab75-c9da0add28d8”, oauth_signature_method=“HMAC-SHA1”, oauth_consumer_key=“8e2oGgzj5t9G4LmvDejYTg”, oauth_timestamp=“1326475695”

INFO: 1 * Client in-bound response
1 < 200
1 < X-Runtime: 0.01677
1 < ETag: "6621ab904d95fe8030b0330fa4a14854"
1 < X-Transaction: 72fab273c220fae7
1 < Content-Length: 141
1 < X-MID: 1ad0e1babd5de3dd906438498affc3fe57552b48
1 < Expires: Tue, 31 Mar 1981 05:00:00 GMT
1 < Last-Modified: Fri, 13 Jan 2012 17:28:15 GMT
1 < X-Revision: DEV
1 < Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCAfXHNg0AToHaWQiJTUyZjg3MDRkN2QwZjdi%250AYWJkNGJmMDJlZmFiN2NmYzczIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA–fb4e77c43fbf58847bcdb9cc2ed9b878026c72b1; domain=.twitter.com; path=/; HttpOnly
1 < Set-Cookie: guest_id=v1%3A132647569587841417; domain=.twitter.com; path=/; expires=Mon, 13-Jan-2014 05:28:15 GMT
1 < Set-Cookie: k=10.35.47.123.1326475695869380; path=/; expires=Fri, 20-Jan-12 17:28:15 GMT; domain=.twitter.com
1 < Server: tfe
1 < Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
1 < Pragma: no-cache
1 < Status: 200 OK
1 < X-Frame-Options: SAMEORIGIN
1 < Date: Fri, 13 Jan 2012 17:28:15 GMT
1 < Vary: Accept-Encoding
1 < Content-Type: text/html; charset=utf-8
1 <
oauth_token=tiIFgo92aN737y1ZIBqAyRy037iXgZcuSxoGkZxs&oauth_token_secret=xXajFDvgFS38pWoDjoUAk4hAXfQUcJLRrEoD9JE&oauth_callback_confirmed=true

After authorization with https://api.twitter.com/oauth/authorize?oauth_token=tiIFgo92aN737y1ZIBqAyRy037iXgZcuSxoGkZxs and redirection, here is the request for access_token …

INFO: 1 * Client out-bound request
1 > POST https://api.twitter.com/oauth/access_token
1 > Authorization: OAuth oauth_signature=“ra7%2FrhcvcnEaUMiFQ%2B79p%2FcrNMg%3D”, oauth_version=“1.0”, oauth_nonce=“a8f6e47c-c52d-4f81-9cc3-52a6cf68ea92”, oauth_signature_method=“HMAC-SHA1”, oauth_consumer_key=“8e2oGgzj5t9G4LmvDejYTg”, oauth_token=“tiIFgo92aN737y1ZIBqAyRy037iXgZcuSxoGkZxs”, oauth_verifier=“P9lwN5mhKtsl9hBLaDTZerXkps3JhTtvoUPxKdUXr0”, oauth_timestamp=“1326475943”

INFO: 1 * Client in-bound response
1 < 200
1 < X-Runtime: 0.05490
1 < ETag: "4fa25a23a6ee62e424c6b0308ef6b585"
1 < X-Transaction: 4ec9f909837f1701
1 < Content-Length: 163
1 < X-MID: cf58132e2767288464d1c31ade45712a0241c903
1 < Expires: Tue, 31 Mar 1981 05:00:00 GMT
1 < Last-Modified: Fri, 13 Jan 2012 17:32:24 GMT
1 < X-Revision: DEV
1 < Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCMKjINg0AToHaWQiJTkzZjlkOWJlOTIyMDAx%250AYzhmNzgxYTFiOWNkZTk4MDZjIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA–09ae5972e7987336c52779ef812a36b3d966b987; domain=.twitter.com; path=/; HttpOnly
1 < Set-Cookie: guest_id=v1%3A132647594489779974; domain=.twitter.com; path=/; expires=Mon, 13-Jan-2014 05:32:24 GMT
1 < Set-Cookie: k=10.35.24.138.1326475944891136; path=/; expires=Fri, 20-Jan-12 17:32:24 GMT; domain=.twitter.com
1 < Server: tfe
1 < Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
1 < Pragma: no-cache
1 < Status: 200 OK
1 < X-Frame-Options: SAMEORIGIN
1 < Date: Fri, 13 Jan 2012 17:32:24 GMT
1 < Vary: Accept-Encoding
1 < Content-Type: text/html; charset=utf-8
1 <
oauth_token=12387972-tRzHZ57HGKohKDzpG3D7eAWeZK8No0v1RkZKXrXZR&oauth_token_secret=kfCuKV4xc8EoSsedhOS0FW9DxHTRWu09GzJLtZdtHA&user_id=12387972&screen_name=arungupta

The “screen_name” in the response seem to indicate that “arungupta” (that is me) is successfully authorized. And then finally …

INFO: 1 * Client out-bound request
1 > GET https://api.twitter.com/1/statuses/user_timeline.json?include_entities=true&include_rts=true&screen_name=arungupta&count=10
1 > Authorization: OAuth oauth_signature="%2BQZ1IsE%2FUnHuE%2F56sf8xa7y3lFE%3D", oauth_version=“1.0”, oauth_nonce=“2d7f6dab-61d2-4f67-afff-33277bf4c8b2”, oauth_signature_method=“HMAC-SHA1”, oauth_consumer_key=“8e2oGgzj5t9G4LmvDejYTg”, oauth_token=“12387972-tRzHZ57HGKohKDzpG3D7eAWeZK8No0v1RkZKXrXZR”, oauth_timestamp=“1326475945”

INFO: 1 * Client in-bound response
1 < 200
1 < X-Runtime: 0.08044
1 < ETag: "6bb8d1e8f611ecb08fe9c981ad96467a"
1 < X-Transaction: 3fbfb97dfb8f7ca8
1 < X-RateLimit-Limit: 150
1 < X-RateLimit-Remaining: 124
1 < Content-Length: 21955
1 < X-MID: 9854078cee27efd25b37a2633dcc8833cbc1d101
1 < Expires: Tue, 31 Mar 1981 05:00:00 GMT
1 < Last-Modified: Fri, 13 Jan 2012 17:32:25 GMT
1 < X-RateLimit-Reset: 1326478056
1 < X-RateLimit-Class: api
1 < X-Revision: DEV
1 < Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCAanINg0AToHaWQiJTQzMGE2OTQ5NDdlYzk2%250AMzczODJhNzk1MGZhNWI2MGYxIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA–a7e78d7269f56c6a5f1b241b74aed2893a4613a4; domain=.twitter.com; path=/; HttpOnly
1 < Set-Cookie: guest_id=v1%3A132647594572622786; domain=.twitter.com; path=/; expires=Mon, 13-Jan-2014 05:32:25 GMT
1 < Set-Cookie: k=10.35.24.138.1326475945722775; path=/; expires=Fri, 20-Jan-12 17:32:25 GMT; domain=.twitter.com
1 < Server: tfe
1 < X-Warning: Invalid OAuth credentials detected
1 < Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
1 < Pragma: no-cache
1 < Status: 200 OK
1 < X-Frame-Options: SAMEORIGIN
1 < Date: Fri, 13 Jan 2012 17:32:25 GMT
1 < Vary: Accept-Encoding
1 < Content-Type: application/json; charset=utf-8
1 < X-Transaction-Mask: a6183ffa5f8ca943ff1b53b5644ef1143ae2f9b7
1 <

And then follows the response because this API does not require authorization.But X-Warning header indicate that authorization did not succeed.

Any clues ?

2 years 6 weeks ago reply