request_token fails with 401 (Unauthorized) for one particular callback url only


#1

I have a strange issue. When trying to request a token, for one particular callback url, the request is failing with a 401 unauthorized repsonse.

The url I am trying to callback to is:

http://in2touchsa.spawtz.com/SpawtzApp/ConfigSettings/TwitterCallback.aspx?AssociationLevelId=4&AssociatedItemId=47

The url I am posting the request to is:

https://api.twitter.com/oauth/request_token

The “Authorization” header looks like this when it is encoded:

OAuth realm=“Twitter API”,oauth_callback=“http%3A%2F%2Fin2touchsa.spawtz.com%2FSpawtzApp%2FConfigSettings%2FTwitterCallback.aspx%3FAssociationLevelId%3D4%26AssociatedItemId%3D47”,oauth_consumer_key="{key}",oauth_nonce="{nonce}",oauth_signature_method=“HMAC-SHA1”,oauth_timestamp=“1380041280”,oauth_version=“1.0”,oauth_signature="{Signature}"

I’ve remove the consumer key, nonce and signature values as I’m not 100% sure how sensitive those items are. If you need to see those as well, I can post them accordingly.

When I make the call on a dev machine with the callback url as http://localhost/SpawtzApp/ConfigSettings/TwitterCallback.aspx?AssociationLevelId=4&AssociatedItemId=47, it works fine. When I make the call on the live machine with the callbackurl as http://urban5occer.spawtz.com/SpawtzApp/ConfigSettings/TwitterCallback.aspx?AssociationLevelId=4&AssociatedItemId=47, it works fine. It even works fine when the callback url is http://in2touch.spawtz.com//SpawtzApp/ConfigSettings/TwitterCallback.aspx?AssociationLevelId=4&AssociatedItemId=47, (ie, without the SA on the first part of the subdomain).

In the app settings for the application, the callback url is set as http://www.spawtz.com. The time on the server is correct, and it works fine for other sites. It’s only that url with the “in2touch” in it that fails - what can I be missing here?

It looks to me like there is some issue with the decoding on the twitter side when trying to decode that Authorization header?

Thanks for your help.

Kind regards,

Matt


#2

Interesting.

What does the oauth_callback value look like in the OAuth signature basestring? (The intermediate step to creating a signature).

I really recommend using spaces between your comma-separated, quoted values in the authorization header – it shouldn’t make a difference here, but it might.

What else does your library do? Do you know if you’re sending oauth_callback as a query parameter as well as part of your auth header?


#3

In the OAuth signature basestring, the oauth_callback value looks like this:

“POST&https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&oauth_callback%3Dhttp%253A%252F%252Fin2touchsa.spawtz.com%252FSpawtzApp%252FConfigSettings%252FTwitterCallback.aspx%253FAssociationLevelId%253D4%2526AssociatedItemId%253D47%26oauth_consumer_key%3DaLEw8cAs35ucJcdJSJMRw%26oauth_nonce%3D37ab56cc-2eb9-4e85-a20c-acf51edfc774%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1380725820%26oauth_version%3D1.0”

I’ve added spaces between the values in the authorization header now, so it now looks like:

“OAuth realm=“Twitter API”, oauth_callback=“http%3A%2F%2Fin2touchsa.spawtz.com%2FSpawtzApp%2FConfigSettings%2FTwitterCallback.aspx%3FAssociationLevelId%3D4%26AssociatedItemId%3D47”, oauth_consumer_key=“REDACTED”, oauth_nonce=“b3296e09-b5a7-4774-80a9-a62041e7cc5e”, oauth_signature_method=“HMAC-SHA1”, oauth_timestamp=“1380726231”, oauth_version=“1.0”, oauth_signature=“REDACTED””

That didn’t make any difference.

When you ask if I’m sending oauth_callback as a query parameter as well as part of the auth header, do you mean in the URL that I am posting to on Twitter? If so, then no, I’m posting to “https://api.twitter.com/oauth/request_token”, with no querystring parameters.

What’s so weird though is that if I do it with almost any other value as the subdomain value in the callback url it works fine. And it had been working fine for years now, only stopped working on the 21st of September (or rather, that’s the most recent time someone from that organisation has tried to authorise a twitter account on their site). Strange.


#4

Can anyone shed any light on this situation please?