OAuth Echo - Upload and Post


I’m currently building an API for my Twitter app and i’m using OAuth Echo. From what i understood, the oauth_signature is generated based on one end point and as @episod pointed out here : https://dev.twitter.com/discussions/5947 there’s a difference between generating a signature for a GET and POST request.

Here’s how my API works :

  1. Consumer generates an oauth_signature using the endpoint https://api.twitter.com/1/account/verify_credentials.json (GET) and then send this together with other oauth parameters in the header to my API. An image to be uploaded and the tweet to be posted is also sent in a POST variable.

  2. I then pass the header to Twitter.

  3. If the response i receive is 200 OK, i then store the image permanently and generate a URL.

  4. Now if i try to post the tweet and url to Twitter (http://api.twitter.com/1/statuses/update.json) i get a 401 error because obviously the oauth_signature is invalid in this case since it was generated using the endpoint https://api.twitter.com/1/account/verify_credentials.json and not http://api.twitter.com/1/statuses/update.json

How do i use OAuth echo in this situation? How can i use the same authorization headers for multiple end points?



"How can i use the same authorization headers for multiple end points?"
The answer is that you cannot.

OAuth Echo allows a client (say Tweetbot) to use a third party service (say Twitpic) to assert the current user’s identity in a way which Twitpic can verify. It does not support posting of Tweets or really much else beyond a verifiy_credentials call.

For my example, the flow would be:

  • Tweetbot uses its access token + key for my Twitter account to sign a request to verify_credentials.
  • Tweetbot sends image data to Twitpic along with that signed request.
  • Twitpic calls verify_credentials and parses the response to verify which Twitter account it should associate the image with.
  • Assuming Twitpic gets a valid response, it stores the image and indexes it under my Twitter account. Then it returns an URL pointing to the image to Tweetbot.
  • Tweetbot takes that URL and generates a brand new signed request to post the URL and some text to Twitter.com.

From your request, I’m not sure whether you’re Tweetbot or Twitpic. It sounds like maybe you’re trying to be both.


In my case i’m like Twitpic. So from my side i just need to take the authorization header and verify that with Twitter. If i get a 200 OK response, i store the image and returns the URL pointing to that image. Then it is up to the consumer (Tweetbot for example) to post the link and tweet/text to Twitter. Is that correct?


Yep, that sounds correct. You can think of it as a way for your app to verify identity without actually having access to the user account.


Ok now i understand how this works! :slight_smile:
Thanks a lot for your help Arne!


Как получить коды для Access Token и Access Token Secret. Здесь, вообще, кто-нибудь может грамотно объяснить по-русски.