I have to develop my own library to make calls to the twitter API. Everything was working fine (signed requests, Application-only authentication…) until I tried to implement PIN-based authentication.
I got the entire Authentication flow working, getting a request token, redirecting the user to get a PIN, logging them in and posting requests on their behalf. Here is the catch: I cannot manage properly sign requests to oauth/request_token.
Normally at that step of the authentication, you don’t yet have a OAuth token secret, so there are 2 choices:
- Use Application-only authentication, which doesn’t require the token. This gives me a “Request token failed” error at https://api.twitter.com/oauth/access_token. Requests to other URLS work fine.
- Use the usual OAuth authorized request format, with a signature in the header. The API says:
Note that there are some flows, such as when obtaining a request token, where the token secret is not yet known. In this case, the signing key should consist of the percent encoded consumer secret followed by an ampersand character ‘&’
Doing this returns a “Invalid or expired token” error. Adding an existing token secret after the & makes the request successful. What am I missing? Should I use 1 or 2?