Twitter login required signature?


#1

Well, seems that if I want to sign in with Twitter https://dev.twitter.com/docs/auth/implementing-sign-twitter I need to provide “signature”. So I can get access_token and access_token_secret.

But creating signature https://dev.twitter.com/docs/auth/creating-signature means I need to provide access_token_secret (using it on the signing key), which I can’t have it if I previously request it.

So what’s up? I always get The remote server returned an error: (401) Unauthorized., even using the access_token_secret generate by the Application Interface.

Should I create signature key in some other way?


#2

You need different pieces of information at different times in OAuth. Sometimes they’re named the same thing – oauth_token and oauth_token_secret are together called an access token. But they also could be a request token.

In the first step of OAuth you call oauth/request_token. You don’t have a oauth_token or oauth_token_secret yet on that step but as you said, oauth_token_secret is part of the signing algorithm. When you don’t have this value, it’s just the equivalent of an empty string, so the signing key effectively becomes “consumerSecret&” instead of “consumerSecret&oauthTokenSecret”