POST oauth/request_token: Failed to validate oauth signature and token

kwkasi · 2013-02-22T21:40:38.000Z

Hello, I get “401 unauthorized” with “Failed to validate oauth signature and token” in my POST oauth/request_token. I’m using the same OAuth functions I have used in other calls and they work there, so I don’t think the problem is here (though it might be, as oauth parameters are different here than in other calls).

This is my request (I changed my app consumer key to post it here):

POST https://api.twitter.com/oauth/request_token HTTP/1.1
Authorization: OAuth oauth_callback=“oob”, oauth_nonce=“NjM0OTczNDc3MDQ2NjA3MjMx”, oauth_signature_method=“HMAC-SHA1”, oauth_timestamp=“1361747305”, oauth_consumer_key=“MY_CONSUMER_KEY”, oauth_signature=“vuaGELvkMd%2BpDYEYvYo3Rj9EXwk%3D”, oauth_version="1.0"
Host: api.twitter.com
Connection: Keep-Alive

It’s a desktop application, and in my app setting at dev.twitter I set Callback URL to blank, as I understand desktop applications don’t use his url callback parameter.

Can you see anything wrong in this request?

Thank you

episod · 2013-02-25T16:40:53.000Z

This looks correct from as much as I can see on this end. Usually when this kind of thing fails though, it’s because of the signature base string. You may want to make sure you’re sending Content-Length: 0 on a POST without a body. Depending on the library you’re using, there might be something going on with not including oauth_callback as a query or POST parameter.

kwkasi · 2013-03-01T18:18:31.000Z

Well, issue solved, I post the solution in case someone finds the same problem.

Usually, when generating OAuth signature, the compositeKey used to generate hash is obtained like this (this is VB.NET):


compositeKey = String.Concat(Uri.EscapeDataString(oauth_consumer_secret), "&", Uri.EscapeDataString(oauth_token_secret))

When calling POST oauth/request_token, as we don’t have a oauth_token_secret yet, the compositeKey is generated like this:


compositeKey = String.Concat(Uri.EscapeDataString(oauth_consumer_secret), "&")

At first, I was omitting the final “&” and it resulted to be required to generate a valid compositeKey and OAuth signature.

Happy coding!

SargTeX · 2013-03-12T08:08:00.000Z

Hey,

I hope someone can help me? I am stuck within the same problem.

This is my request:
POST https://api.twitter.com/oauth/request_token Headers - Authorization: oauth_callback: oob oauth_signature: 4yAvreUerTeHHzIjze9y5zOUHL0%3D oauth_nonce: g2DUQtXB1tsq93VDG8/1+A== oauth_version: 1.0 oauth_signature_method: HMAC-SHA1 oauth_consumer_key: mE7K7J1RSFK37HmESCxWXw oauth_token: oauth_timestamp: 1363074775 Request parameters -

The server response (including headers):
X-Runtime: 0.01961 X-Transaction: 5d6fe0fcbb98c7a8 Content-Length: 44 Expires: Tue, 31 Mar 1981 05:00:00 GMT X-MID: 70bf59709152195c551772b7b46f81fcbfc41c81 Last-Modified: Tue, 12 Mar 2013 07:53:00 GMT Set-Cookie: guest_id=v1%3A136307478028373239; Domain=.twitter.com; Path=/; Expires=Thu, 12-Mar-2015 07:53:00 UTC Server: tfe Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Pragma: no-cache Status: 401 Unauthorized X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Date: Tue, 12 Mar 2013 07:53:00 GMT Content-Type: text/html; charset=utf-8 Protocol version: 1.1 Status line: 401 Unauthorized Response: Failed to validate oauth signature and token

I checked my timestamp; it is in GMT and around 5 seconds smaller than the timestamp generated by the server (including connection latency). I’m living in germany, but submitting a GMT timestamp is correct, isn’t it?

I checked the implementation of my key & signature algorithm by Twitter’s tutorial and the examples given @ http://hueniverse.com/oauth/guide/authentication/ . It seems to work correctly…

I did not include a token at the end, but I was appending an “&”.
This is what my unencrypted signature looks like:
POST&https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&oauth_callback%3Doob%26oauth_consumer_key%3DmE7K7J1RSFK37HmESCxWXw%26oauth_nonce%3Dg2DUQtXB1tsq93VDG8%252F1%252BA%253D%253D%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1363074775%26oauth_token%3D%26oauth_version%3D1.0

My signature:
4yAvreUerTeHHzIjze9y5zOUHL0%3D

I am developing in Java without former twitter/oauth libraries (not applicable for my situation). I would love to see a working signature example in Java… I could also provide the application keys & secrets (that will be resetted after that, of course) to let you check on my signature algorithm.

One question: Does the key have to be URLEncoded (percentage encoded) before using it to encrypt the signature?

You may find my javacode to generate the signature over here: http://paste.ubuntu.com/5607153/
(EncodeUtil.encodePercentage works, that’s for sure; EncryptionUtil.encryptHmacSHA1 works, too, I checked that with sample data and got the correct output)

Best greetings,
Martin Bories