Twitter- Obtaining a request token Response 401 - POST


#1

I’m trying to create an app with twitter and I’m stuck in the first step.

I’m trying to POST to https://api.twitter.com/oauth/request_token , But everytime I get a 401.

I’m using a varient of Apache Commns HTTPClient’s POST method, very specific to my tool, So I’ll just post the highlevel picture.

My Header: ‘oAuth ‘+
‘oauth_callback=“oob”,’+
‘oauth_consumer_key=“zhaD2Y6RrQaaZQSz21RShA”,’+// fake
’oauth_nonce="’+ <random string of 32Characters> +’",’+
‘oauth_signature="’+ a.signature +’",’+
‘oauth_signature_method=“HMAC-SHA1”,’+
‘oauth_timestamp="’+ +’"’;

I’m generating the Signature in this method:

Step1: Percentage Encoding Key-Value pairs, and Appending them as given in the Twitter’s Signature page.

Step2: Appending POST and the URL, after percentage encoding. This is what I’m left with:

POST&https%3A%2F%2Fapi.twitter.com%2Foauth%2Frequest_token&oauth_callback%3Doob%26oauth_consumer_key%20%3D%20zhaD2Y6RrQaaZQSz21RShA%26oauth_nonce%3DkYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1318622958,

So far so good…

My problem starts here, The next step is signing the key, and it needs two things :

Consumer Secret of your application
The access token ( as this https://dev.twitter.com/docs/auth/creating-signature page says)

append these two, with & and then do a HMAC-SHA1. But how do I get my accesstoken?

I’m yet to send my POST to twitter right? Does access token here mean the Bearer token?

The page doesn’t even mention how to get the access token(it actually does, But I’m doing a POST to get this access token right?!)

Thanks for all your help!


#2

On the first step of “the OAuth Dance” for oauth/request_token you don’t have an oauth_token or oauth_token_secret yet… in this case, the composite signing key’s algorithm is the same though:

“{$consumerSecret}&{$accessTokenSecret}”

In this case, your accessTokenSecret is null, or an empty string, so your signing key ends up just terminating at the ampersand:

“{$consumerSecret}&”

What can be really confusing here is the parameters/attributes “oauth_token” and “oauth_token_secret” are different kinds of tokens depending on context. When done with oauth/request_token, your oauth_token/oauth_token_secret pair are the “request token.” Which you then exchange for a new pair, the access token. The signature generation algorithm doesn’t really care which kind of token an oauth_token is or which stage of the process you’re in.


#3

Thanks mate, exactly what I was looking for!