Signing other requests with OAuth not working but Verify Credentials IS working


#1

I’m building an open source library for Android to perform all the OAuth and associated API stuff for Twitter. I was using Twitter4J but it is just way too big and Scribe is great but it is more generic Java than Android specific.

So far I have (I believe) correctly implemented the OAuth flow. I am able to get a request_token, allow the user to authorize my app, trade the verifier up for an access_token and secret and everything works great. I’m hitting the verify credentials endpoint (http://api.twitter.com/1/account/verify_credentials.json) after getting the final access_token and secret and I am correctly able to verify the user’s credentials.

Immediately after I have been trying to hit the status update endpoint (https://api.twitter.com/1.1/statuses/update.json) and the search tweets endpoint (https://api.twitter.com/1.1/search/tweets.json) but I am always getting a 401 Unauthorized.

As far as I can tell, I should be calculating and sending my Authorization header the same for the verify credentials as these other endpoints (with of course switching the baseurl and the http method in the base string when calculating the signature) so I do not understand how I can successfully get verify credentials and then fail to be authorized when hitting the other endpoints.

Verify Credentials Authorization Header (works): OAuth oauth_callback=“oauth%3A%2F%2Ftwitter”, oauth_consumer_key=“y80PK8ZkDLahHYo6fWMdNg”, oauth_nonce=“1363357212353”, oauth_signature=“ppPMrPwFmyoJkzZr53wHlsRd10s%3D”, oauth_signature_method=“HMAC-SHA1”, oauth_timestamp=“1361476923”, oauth_token=“452251020-TS7YwS3mEZ4HZpLCTgHzJ3zEGjl9ON1rOdhkA2Cq”, oauth_version=“1.0”

Status Update Authorization Header (does NOT work): OAuth oauth_callback=“oauth%3A%2F%2Ftwitter”, oauth_consumer_key=“y80PK8ZkDLahHYo6fWMdNg”, oauth_nonce=“1362873716048”, oauth_signature=“lGCX7evI098117OSjKFabDTEWNQ%3D”, oauth_signature_method=“HMAC-SHA1”, oauth_timestamp=“1361479439”, oauth_token=“452251020-TS7YwS3mEZ4HZpLCTgHzJ3zEGjl9ON1rOdhkA2Cq”, oauth_version=“1.0”

With status update I am sending a POST with my body params being a basic name value pair {status, thetweetiwanttosend}
and with the search endpoint I am sending a GET with query params being q=topic

Any help from you Twitter developers would be greatly appreciated and then we can finally have a Android specific Twitter library ready to go. Thanks!


#2

account/verify_credentials doesn’t take any parameters, while the other methods you’re using do. Maybe your signature base string isn’t properly taking these parameters into account and sorting/escaping them properly?


#3

Bingo. Finally figured it out after banging my head against the wall and finally rereading how to create a signature.

Thanks a lot for the help.