Trying to use POST oauth/request_token but getting {"errors":[{"code":32,"message":"Could not authenticate you."}]}

oauth
api

#1

This error looks pretty common, but after researching I couldn’t find a solution that solves it for me.

I’m trying to obtain a request token, so that later I can obtain an user access token. I’m following these from the docs. I’d also like to use PIN based authentication, so I set the callback to oob.

I’m obtaining the error 32 - “Could not authenticate you”.

I might have implemented something wrong, but I couldn’t find where.

Here’s what I have so far. Using C++.

Signature base string:

POST&https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&oauth_consumer_key%3DS9gU9pBsB4KL9mUuBhVyzI1wi%26oauth_nonce%3DPWxv2xkpFCNxmsduuqHZuR9DPjNIh6Mw%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1497623562%26oauth_version%3D1.0

This is what I obtained from http://quonos.nl/oauthTester/ (all OK):

Method: POST
URL: https://api.twitter.com/oauth/request_token
oauth_consumer_key: S9gU9pBsB4KL9mUuBhVyzI1wi
oauth_nonce: PWxv2xkpFCNxmsduuqHZuR9DPjNIh6Mw
oauth_signature_method: HMAC-SHA1
oauth_timestamp: 1497623562
oauth_version: 1.0

Signature key:

**************************************************&

oauth_signature:

WIbsRQs8szI/5o+vwHgHa33a2R0=

I tested the signature generation as said here and I obtained the expected signature.

Authorization header:

OAuth oauth_nonce=“PWxv2xkpFCNxmsduuqHZuR9DPjNIh6Mw”, oauth_callback=“oob”, oauth_signature_method=“HMAC-SHA1”, oauth_timestamp=“1497623562”, oauth_consumer_key=“S9gU9pBsB4KL9mUuBhVyzI1wi”, oauth_signature=“WIbsRQs8szI%2F5o%2BvwHgHa33a2R0%3D”, oauth_version=“1.0”

Request URL:

https://api.twitter.com/oauth/request_token

I have a few questions that could give what I’m doing wrong:

  1. How should be the nonce be generated? In my implementation I just obtained 32 random alphanumeric characters. I remember reading something about converting to base64 after, is it necessary? If I do that, I end up with 44 characters. Should I then url encode the base64 conversion?
  2. When should I convert to UTF-8? For url encoding I’m just appending a % and then the char conversion to hex.

Thanks!


#2

I’m still trying to figure out what could be wrong in my request. I tried setting the consumer_key, consumer_secret, nonce and timestamp the same as in Implementing Sign in with Twitter, in order to see If I would build the same request.

What could probably be built wrongly in my request was the signature, so I tried checking it first. As said in the authorization from the docs (from before) the signature for the base string + key is:

oauth_signature="F1Li3tvehgcraF8DMJ7OyxO4w9Y%3D

I expected to obtain the same signature, since every parameter were the same, but in fact I obtained this signature:

%2FG%2FPJczMcszvW4G6eVtpMNkzMng%3D

So first I thought my signing algorithm was off, so I tried this HMAC-SHA1 online tool. I inserted my signature base string and my signature key, and the signature for the tool was the same as I’ve obtained, so it’s probably no my signing algorithm.

Since the key is pretty obvious (“key”+"&"), the only thing that could be different from the docs signature could be the signature base string parameters. Now I can’t say, since the docs don’t tell much about what parameters to use.

I’m building the signature as such:

// Parameters from the docs link above
oauth_consumer_key = "cChZNFj6T5R0TigYB9yd1w";
oauth_consumer_secret = "L8qq9PZyRg6ieKGEKhZolGC0vJWLw8iEJ88DRdyOg";
token_secret = "";
nonce = "ea9ec8429b68d6b77cd5600adbbb0456";
timestamp = "1318467427";
HTTP_METHOD = "POST";
signature_method = "HMAC-SHA1";
normalized_url = "https://api.twitter.com/oauth/request_token";

parameters_string = "oauth_consumer_key=" + urlencode(*consumer_key) +  "&" +
					"oauth_nonce=" + urlencode(*nonce) + "&" +
					"oauth_signature_method=" + signature_method +"&" +
					"oauth_timestamp=" + timestamp + "&" +
					"oauth_version=" + "1.0";

signature_base_string += HTTP_METHOD; // "POST"
signature_base_string += "&";
signature_base_string += urlencode(*normalized_url); // "https://api.twitter.com/oauth/request_token"
signature_base_string += "&";
signature_base_string += urlencode(*parameters_string); // as seen above

signature_key = urlencode(consumer_secret) + "&" + urlencode(token_secret);

// Signing algorithm uses signature_base_string and signature_key to obtain the signature

Am I missing parameters here? Am I url encoding as I should be (assuming url encoding is implemented correctly)?

Thanks!


#3

I’m sorry, I don’t understand why I have no replies. I’m stuck with this issue since the thread was created. Should I provide more information?


#4

Hi Matheus,

I am stuck at the same point. I keep getting code 32. Can you please post the solution if you have found it. I would really appreciate that.

Thanks!